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Building  the  engines  of  a  Smarter  Planet: 

Be  open  to  opportunity. 

Not  security  breaches. 

To  midsize  businesses,  the  explosion  of  digital  technology  has  introduced  unprecedented  opportunity.  But  it’s  also  introduced 
unprecedented  risk.  As  the  engines  of  a  smarter  planet,  midsize  businesses  cannot  afford  lurking  threats.  And  protecting  against 
today’s  hackers,  viruses  and  network  failures  demands  a  smarter,  more  dynamic  infrastructure.  One  that  empowers  you  to 
respond  quickly  to  Ghange.  IBM  and  its  Business  Partners  have  developed  a  number  of  solutions  to  help  you  do  that.  Like  IBM® 
Express  Managed  Security  Services.  They’re  designed  to  work  seamlessly  across  your  entire  business  to  proactively  protect  from 
outside  threats  -  without  disrupting  daily  activities.  Designed  with  midsize  budgets  in  mind,  the  services  also  provide  something 
you  can’t  put  a  price  tag  on:  peace  of  mind.  Here’s  how  to  get  started: 


Learn  how  you  can  reduce  complexity  and  security 
costs.  IBM  helps  reduce  potential  risk  from  Internet 
threats  and  noncompliance  (both  could  lead  to  network 
disruptions  and  fines)  while  lowering  security  costs. 
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Determine  which  security  services  meet 
your  business  needs.  Get  the  right  amount 
of  protection.  So  that  you're  safeguarding  your 
assets  while  remaining  flexible  enough  to  grow. 
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Implement  IBM  Express  Managed  Security 
Services.  IBM  can  patch  vulnerable  systems,  help 
identify  and  preempt  threats,  deliver  customized 
security  reports,  and  provide  access  to  the  IBM 
X-Force®  security  team  24/7.  It  all  helps  keep 
your  data  protected. 

Packages  include  IPS,  firewall 
and  VPN  modules.  Starting  at: 

per  month 


*350 


Increase  protection,  lower  security  costs. 

Designed  to  offer  superior,  more  efficient  protection, 
the  services  can  lower  total  cost  of  ownership  by  up  to 
55%  on  information  security.  With  IBM  X-Force  security 
there  for  you  24/7,  you  can  focus  on  conducting 
business.  Not  just  protecting  it. 


Midsize  businesses  are  the  engines  of  a  Smarter  Planet. 

The  IBM  Express  Advantage™  Concierge  can  connect  you  to  the  right  IBM 
Business  Partner.  Call  877-IBM-ACCESS  or  visit  ibm.com/engines/security2 


\  I  / 


Actual  savings  and  costs  will  vary  depending  on  individual  customer  configurations  and  environment.  Rates  and  offerings  are  subject  to  change,  extension  or  withdrawal  without  notice.  IBM,  the  IBM  logo,  ibm.com,  Express,  Express 
Advantage,  X-Force,  Smarter  Planet  and  the  planet  icon  are  trademarks  of  International  Business  Machines  Corp. ,  registered  in  many  jurisdictions  worldwide.  Other  product  and  service  names  might  be  trademarks  of  IBM  or  other  companies. 
A  current  list  of  IBM  trademarks  is  available  on  the  Web  at  www.ibm.com/legal/copytrade.shtml.  ©  International  Business  Machines  Corporation  201 0. 
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[  FROM  THE  EDITOR] 


Head  to  Head 

Last  month,  I  got  a  ringside  seat  at  the  lat¬ 
est  battle  in  one  of  the  security  industry’s 
oldest  and  most  competitive  rivalries. 
These  two  companies  have  been  at  each 
others’  throats  for  years,  competing  for  the 
same  customers  in  similar  lines  of  business. 
With  those  clues  I’m  sure  you  know  who  I 
mean:  Stanley  and  Verizon. 

Yes,  I  know.  Stanley  might  conjure  up 
images  of  hammers  and  tape  rules,  and 
Verizon  might  be  your  phone  company.  Those 
are  the  associations  you  might  have  for  each 
company  if  you’re  thinking  with  your  consumer 
hat  on. 

But  since  you  have  a  CSO  hat  too,  you 
probably  know  of  Stanley  as  an  integrator  of 
physical  security  systems.  It  also  has  another 
business  unit  called  Stanley  Convergent 
Security  Solutions,  which  offers  monitoring 
services.  Stanley  CSS  started  life  as  HSM,  a 
monitoring  company  that  Stanley  acquired 
in  2007. 

Similarly,  Verizon  doubled  its  security  bet 
in  2007  via  its  purchase  of  Cybertrust.  (Not  to 
sidetrack  too  much,  but  the  original  seed  of 
Cybertrust  was  industry  pioneer  TruSecure.) 
The  Verizon  Business  unit  now  offers  a  wide 
portfolio  of  security  services. 

I  was  being  facetious  in  the  first  paragraph. 
Stanley  and  Verizon  probably  haven’t  given 
each  other  much  thought.  But  you  see,  they 
really  are  about  to  enter  into  serious  competi¬ 
tion.  Both  are  aggressively  looking  at  the 
market  for  highly  integrated  security  systems 
and  services. 

Each  company  gave  me  a  briefing  in  May. 
Stanley  has  been  doing  aggressive  internal 
training  on  IP  for  years,  and  their  folks  talk 
with  great  insight  about  Physical  Security 
Information  Management  systems,  about 
clients’  need  to  preserve  legacy  investments 
but  to  interconnect  those  platforms  (alarm 
systems,  fire,  video,  access  control)  with  an 
intelligent  management  layer  that  can  reduce 
costs  on  many  fronts  and  create  business 
intelligence. 

Verizon  has  recognized  the  fact  that  many 
significant  “data”  breaches  have  been  the 
result  of  failed  or  absent  physical  security  con¬ 
trols.  They  know  that  data  is  stored  not  only  in 
networks  but  also  on  tapes  and  disks  in  offsite 


warehouses.  They  see  that  social  engineer¬ 
ing  often  includes  physical  components  like 
dumpster  dives  or  plain  old  trespassing.  So 
they’re  launching  branded  services  integrating 
physical  and  digital  defense. 

I  suppose  I  could  take  this  chance  to  say 
“We  told  you  so”-oh  look,  I  just  did.  Several 
years  ago  CSO  stopped  running  debates  about 
convergence  and  simply  started  aiming  to 
incorporate  the  physical  and  digital  dimen¬ 
sions  into  every  topic  where  appropriate.  You 
know,  writing  about  security-all  of  it-as  we’ve 
done  from  the  starter’s  gun  in  2002. 

Rather  than  arguing  about  whether,  we 
simply  started  to  focus  on  how. 

You  notice  I’m  studiously  avoiding  the  word 
convergence  in  this  discussion.  The  point  is  to 
solve  security  problems  and  provide  business 
value,  not  to  bicker  over  semantics  and  turf 
and  certifications. 


Anyway,  Verizon  and  Stanley  aren't  the 
first  or  only  product  and  service  providers 
to  dive  in.  Quantum  Secure,  Cisco,  Lenel,  IBM 
and  others  have  also  seen  the  logic.  What’s 
new  here,  to  me,  is  the  sense  that  the  market 
has  truly  arrived.  Finding  two  vendors  seem¬ 
ingly  coming  from  opposite  poles  and  arriving 
at  the  same  juncture  seems  like  a  bellwether 
to  me. 

It’s  going  to  be  fun  to  sit  back  and  watch 
a  variety  of  vendors  from  very  different  pedi¬ 
grees  striving  to  supply  more  and  better  pieces 
of  how.  And  running  into  surprising  competi¬ 
tors  in  the  process. 

-Derek Slater,  dslater@cxo.com 
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FORTUNE  500 
COMPANIES  DON’T 
CHOOSE  SECURITY 
ON  A  WHIM. 


Over  95  percent  of  the  Fortune  500  choose  VeriSign  SSL  as  their  online  security  of  choice. 

Why?  Because  VeriSign  can  enable  the  strongest  encryption  available  and  has  the  most 
rigorous  authentication  standards.  Or  because  VeriSign®  Extended  Validation  (EV)  SSL  offers  the 
most  visible  site  security  available  by  displaying  the  green  address  bar  in  high-security  browsers, 
which  is  also  the  most  effective  defense  against  phishing  scams.  Add  it  up,  and  it’s  easy  to  see 
why  industry  leaders  choose  VeriSign— the  most  trusted  symbol  of  security  on  the  Web. 


It’s  powerful.  It’s  the  most  visible.  Learn  more  about  protecting 
your  site  and  your  customers  at  VeriSign.com/EVSSLPaper. 


<c >  2009  VeriSign,  Jnc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  the  Checkmark  Circle  logo,  the  VeriSign  Secured  logo,  and  other  trademarks,  service 
marks,  and  designs  are  registered  or  unregistered  trademarks  of  VeriSign,  Inc.,  and  its  subsidiaries  in  the  United  States  and  foreign  countries.  All  other 
trademarks  are  property  of  their  respective  owners. 


[  FROM  THE  PUBLISHER  ] 


Overdue  Due 
Diligence 

Lately  I’ve  been  finding  myself  rushing 
into  things.  In  this  day  and  age,  I  think  we 
all  find  ourselves  having  to  race  around 
because  of  the  speed  at  which  we  conduct 
business.  Remember  when  we  use  to  call  this 
“Internet  speed”?  I’m  feeling  really  old.  But 
with  speed  comes  risk  because  while  we  make 
decisions  more  quickly  and  react  to  crises 
in  real  time,  we  are  missing  the  opportunity 
to  avoid  those  crises  in  the  first  place.  If  we 
could  just  take  a  little  more  time  before  we 
make  decisions  to  conduct  even  cursory  due 
diligence,  we  could  avoid  a  lot  of  the  problems 
we  find  ourselves  facing.  Good  due  diligence 
is  overdue. 

Due  diligence  doesn’t  just  apply  to  merger 
or  acquisition  activities-and  frankly,  many 
organizations  don’t  even  involve  their  security 
teams  in  their  M&A  process.  Some  level  of  due 
diligence  should  apply  to  all  aspects  of  the 
business  as  part  of  a  good  risk-management 
program.  That’s  how  it  needs  to  be  thought 
of:  risk  management.  Part  of  the  role  of  due 
diligence  is  to  uncover  those  things  that  could 
pose  a  risk  to  the  organization.  That’s  the  first 
step  in  a  risk  management  process. 

Let’s  look  at  a  couple  of  areas  where  due 
diligence  could  help  avoid  risk.  At  CSO,  we’re 
about  to  conduct  our  annual  CyberSecurity 
Watch  survey  in  partnership  with  the  Secret 
Service,  CERT  Coordination  Center  at  Carnegie 
Mellon,  and  Deloitte  and  Touche.  Over  the 
years,  this  study  and  others  have  repeatedly 
shown  the  risk  posed  to  organizations  by  insid¬ 
ers.  At  the  same  time,  we’ve  watched  the  num¬ 
ber  of  organizations  who  conduct  background 
checks  go  down  every  year. 

A  word  of  warning:  Google  is  not  a  good 
substitute  for  a  real  background  check.  These 
don’t  cost  a  lot  of  money,  especially  when 
compared  to  the  potential  costs  of  hiring  a 
person  who  causes  problems  for  you  down 


the  road,  including  hiring  investigators  and 
attorneys,  mitigating  any  possible  damage  to 
your  reputation,  etc.  You  get  the  idea.  Proper 
background  checks  are  an  effective,  inexpen¬ 
sive  risk-avoidance  tool. 

I’m  also  familiar  with  a  large,  multinational 
organization  that  recently  acquired  a  business 
line  from  a  competitor.  The  security  team  was 
not  involved  in  the  due  diligence  process,  and 
that  was  unfortunate  for  the  company.  It  turns 
out  that  the  acquired  business  line  had  a  small 
unit  within  its  portfolio  that  operated  in  a 
heavily  regulated  industry.  Once  the  acquisi¬ 
tion  was  completed,  it  became  apparent  that 
the  entire  acquiring  company  was  now  subject 
to  the  same  regulations  as  this  small  unit. 

The  cost  of  that  mistake  is  in  the  millions  of 
dollars.  If  the  security  team,  who  was  steeped 


in  regulatory  issues  and  knowledge,  had  been 
brought  into  the  M&A  process,  they  would 
likely  have  discovered  this  issue  before  it  was 
too  late. 

Take  a  step  back  and  look  at  your  own 
organization.  Is  it  exercising  proper  due  dili¬ 
gence  where  it  should?  If  not,  I’d  add  it  to  your 
list  of  action  items  for  the  coming  year. 

Best  regards, 

-Bob  Bragdon,  bbragdon@cxo.com 
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BLOG  POST 

Vulnerability  disclosure 
revisited,  and  revisited,  and... 

Ed  Adams  says  the  flap  over  the  iPad/AT&T  hole  is  all  too  familiar 


The  researchers  who  discovered 
the  recent  iPad/AT&T  vulner¬ 
ability  are  taking  some  heat 
from  the  FBI.  This  re-opens 
the  Pandora’s  box  of  vulner¬ 
ability  disclosure.  Questions  in  this  realm 
include: 

■  Should  researchers  “go  public”  with 
security  holes  they  discover?  If  so, 
when?  As  soon  as  they’re  discovered? 
After  they’ve  notified  the  vendor?  After 
the  hole  is  fixed?  Never? 

■  What  repercussions  should  research¬ 
ers  face  if  they  go  public  with  a  vulner¬ 
ability  that  leads  to  a  data  breach? 

■  What  repercussions  should  the  vendor 
face  if  a  vulnerability  they  introduce 
leads  to  a  data  breach? 


■  How  accountable  can  or  should  we 
hold  vendors  for  vulnerabilities  in 
their  software  or  service  networks? 

■  And  in  this  case,  why  should  a  security 
research  firm,  which  depends  on  the 
publication  of  vulnerabilities  for  public¬ 
ity  and  credibility,  be  taking  any  heat  for 
waiting  to  go  public  until  after  the  secu¬ 
rity  hole  was  plugged  by  the  vendor? 

I  don’t  even  know  where  the  line  is  right 
now  regarding  doing  the  right  thing...  let 
alone  what  color  it  is— black,  white  or  gray. 
Would  love  to  hear  YOUR  thoughts  on 
this— sound  off,  please! 

—Ed  Adams 
Read  more  from  Ed  Adams, 
the  Security  Curmudgeon,  at 
blogs.csoonline.com/blog/ed_adams. 


MORE  ON  THE  WEB 


The  CSO  Daily  Dashboard 

Get  an  at-a-glance  view  of  major 
developments  that  could  disrupt  your 
business.  The  CSO  Daily  Dashboard 
gathers  security  and  business  continuity 
eeds  from  around  the  Web. 

http://dashboard.csoonline.com/ 


HOWTO 

REACH 

US 


You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.CSOonline.com. 

Derek  Slater,  Editor  in  Chief 
dslater@cxo.com 
508  935-4213 
Twitter:  @derekcslater 

Bill  Brenner,  Senior  Editor 
bbrenner@cxo.com 
508  988-7587 
Twitter:  @billbrenner70 

Joan  Goodchild,  Senior  Editor 
jgoodchild@cxo.com 
508  988-7994 
Twitter:  @msjoanieg 

Subscriber  Services 

Phone:  866  354-1125 
Fax:  847  564-9453 
E-mail:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  The  YGS 
Group,  800  290-5460,  ext. 

129,  cso@theygsgroup.com. 


6  www.csoonline.com  July/August  2010 


GOOD  FORTUNE 


BREAK  INTO  IT. 

Register  for  an  ISACA  certification  exam. 


Exam  Date:  1 1  December  2010 

Registration  Deadline:  6  October  2010 
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“The  insider  threat  is  underappreciated 


Edited  by  Bill  Brenner 


Facebook’s 
Threat  to 
Privacy 

Experts  say  if  you  look  more 
closely  into  Facebook’s 
changes,  you  may  still  make 
some  unsettling  discoveries 

Let  us  be  perfectly  clear:  While  Facebook 
has  received  a  lot  of  criticism  lately  about 
its  new  privacy  policies  and  Open  Graph 
concept,  which  allows  it  to  partner  with 
other  sites  that  will  also  have  access  to  some 
user  data,  the  social  networking  site  isn’t 
precisely  keeping  secrets  from  you.  But  some 
security  professionals  and  users  continue  to 
knock  it  for  what  they  say  are  less-than-clear 
explanations  of  where  your  data  is  going  and 
how  secure  the  site  really  is. 

Joey  Tyson,  a  social  media  security  expert 
who  maintains  the  site  Social  Hacking,  says 
there  are  important  data  security  and  privacy 
issues  that  continue  to  fly  under  the  radar  of 
Facebook  users.  This  is  what  Facebook  isn’t 
saying  outright  to  its  members. 

We  don’t  want  you  to  change  your  pri¬ 
vacy  settings.  Facebook’s  privacy  policies 
have  evolved  dramatically  in 
the  last  few  years  since  the  site 
launched.  At  Facebook’s  incep¬ 
tion,  privacy  was  tightly  con¬ 
trolled  by  the  users.  Today,  users 
cannot  make  some  sections  of 
their  profiles  private.  Other  parts 
can  be  made  private,  but  not  without  doing  a 
lot  of  work  to  figure  out  how.  Changing  your 
privacy  settings  on  Facebook  has  recently 
been  called  “today’s  version  of  programming 


the  VCR”  by  some  security  professionals. 

“Facebook  has  shown  they  have  been 
pushing  users  to  share  more  and  share  more 
openly,”  says  Tyson.  “And  while  they  offer  the 
user  controls,  what  they  seem  to  want  people 
to  do  is  share  openly  and  share  publicly." 

Tyson  notes  that  it’s  important  not  to  start 
thinking  that  Facebook  doesn’t  offer  privacy. 
Facebook  wants  members  to  use  the  site,  even 
if  only  privately.  But  that  is  not  its  preference. 
As  a  result,  if  you  turn  on  many  of  the  privacy 
controls,  the  site  will  ask  if  you  really  want  to 
do  that. 

The  problem  isn’t  us,  it’s  the  apps. 

Tyson  says  Facebook  does  a  good  job  keeping 
track  of  vulnerabilities  and  protecting  users  on 
its  own  site.  The  trouble  is  with  their  applica¬ 
tion  programming  interface  and  third-party 
access  to  data. 

“When  you  use  an  applica¬ 
tion  that  is  interacting  with 
Facebook,  you  are  trusting  that 
application  and  its  level  of  secu¬ 
rity  as  well,”  notes  Tyson.  “That 
is  something  a  lot  of  people 
don’t  understand  or  realize— 
how  much  trust  they  place  in  applications 
they  use  that  aren’t  Facebook.  So  if  there  is  a 
vulnerability  within  an  application,  that  can  be 
exploited  to  talk  to  Facebook  on  your  behalf.” 


The  point  is,  anythingthe 
application  can  do-for  example, 
post  links  or  share  stories  or 
images-could  also  be  accessed 
by  anyone  who  attacked  that 
application. 

Simon  Axten,  who  is  focused 
on  security  for  the  site,  recently 
contacted  CSO  to  clarify  the 
safety  of  applications. 

“Developers,  big  and  small, 
must  comply  with  our  Platform 
Policy  Guidelines,  which  require  that  applica¬ 
tions  provide  a  trustworthy  experience,”  he 
said  by  e-mail.  “We  enforce  these  guidelines 
regularly  and  have  disabled  applications  that 
we’ve  found  to  be  in  violation.” 

Axten  also  notes  that  users  have  a  number 
of  options  for  controlling  the  information  they 
share  with  applications.  These  include: 

■  Refusing  to  authorize  any  app  that  seems 
worrisome  or  wants  access  to  data  users 
don’t  want  it  to  have. 

■  Changing  apps’  privacy  settings.  That  is, 
you  can  configure  what  your  friends’  apps 
can  and  can’t  access. 

■  Blocking  applications  just  as  you  block 
individuals  on  Facebook. 

But  the  issue  goes  beyond  applications. 

The  new  Instant  Personalization  feature  has  its 
own  set  of  security  implications  for  both  Face- 
book  users  and  the  external  sites  partnering 
with  Facebook,  according  to  Tyson.  Earlier  this 
week,  a  security  researcher  found  an  exploit 
that  took  advantage  of  cross-site  scripting 
to  inject  malicious  code  into  Yelp,  one  of  the 
partner  sites  in  this  pilot  program.  The  exploit, 
before  it  was  patched,  would  allow  a  malicious 
site  to  immediately  harvest  a  Facebook  user's 
name,  e-mail  address,  and  all  data  shared 
under  the  “Everyone”  privacy  setting,  without 
requiring  any  action  from  the  user. 
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CHANGES  HAPPEN.  BREACHES  HAPPEN.  AUDITS  HAPPEN. 


TAKE  CONTROL  WITH  THE 

TRIPWIRE’ VIA  SUITE 


Tripwire  VIA  is  the  only  solution  that  integrates  both  change  and 
event  data  to  help  reduce  the  breach-to-detection  time  gap.  This 
powerful  combination  helps  your  organization  prove  continuous 
compliance,  protect  sensitive  data  and  prevent  outages. 

Tripwire  VIA  changes  everything. 


Find  Out  More  at:  VIACHANGESEVERYTHING.COM 


E  SOLUTION 


FOR  SECURITYand 


Introducing  the  Tripwire®  VIA™  Suite 


Tripwire  VIA  is  the  automated  compliance  solution  that 
provides  IT  leaders  with  the  power  to  take  control.  It's  the 
only  solution  that  integrates  both  change  and  event  data  to 
help  reduce  the  breach-to-detection  time  gap.  Unlike  siloed 
tools,  this  powerful  combination  helps  your  organization 
prove  continuous  compliance,  protect  sensitive  data  and 
prevent  outages.  Tripwire  VIA  changes  everything. 

VISIBILITY  into  events  across  your  entire  infrastructure 
INTELLIGENCE  transforms  data  noise  into  actionable  information 
AUTOMATION  frees  your  staff  for  strategic  projects 


tripwire 

ENTERPRISE 

Tripwire  Enterprise  helps  IT  tackle  security,  change, 
and  configuration  control  challenges  head-on. 

tripwire 

J*L0G  CENTER 

Tripwire  Log  Center  is  an  all-in-one  log  and  event 
management  solution. 


©2010  Tripwire,  Inc.  Tripwire  is  a  registered  trademark  and  VIA  a  trademark  of  Tripwire,  Inc.  All  rights  reserved. 


Find  Out  More  at:  VIACHANGESEVERYTHING.COM 
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we’re  collecting  more  data 
about  you  than  you  realize. 

There  has  been  quite  a  bit  of 
banging  the  drum  about  what 
information  Facebook  is  sharing 
with  other  parties,  particularly 
since  the  unveiling  of  Instant 
Personalization.  But  Tyson  says 
many  members  don’t  consider 
what  information  Facebook  itself 
is  collecting  about  you.  As  part 
of  its  new  program,  Facebook  is 
using  social  plug-ins  that  allow 
users  to  see  what  other  friends 
have  “liked”  or  commented  on 
at  other  sites  around  the  web. 
Facebook  describes  its  social 
plug-ins  as  “simple  tools  that  can 
be  dropped  into  any  website  to 
provide  people  with  personalized 
and  social  experiences." 

Your  information  is  being 
stored  in  places  outside  of 
Facebook.  As  pointed  out  in  the 
article  10  Security  Reasons  to 
Quit  Facebook  ( www.csoonline . 
com/article/584813),  third- 
party  application  developers 
can  access  some  of  your  profile 
information  when  you  authorize 
the  use  of  an  application  such 
as  Farmville,  Mafia  Wars  or 
any  of  the  other  thousands  of 
applications  users  have  access  to 
through  their  profiles.  Facebook 
says  it  requires  developers  to 
tell  users  which  information  they 
will  access  before  join,  as  Axten 
pointed  out  in  his  e-mail  to  CSO. 

“Applications  must  get 
explicit  authorization  from  the 
user  before  they  can  access  any 
information  that’s  not  generally 
available  or  set  to  ‘Everyone.’  Our 
new  permissions  model,  which 
we  made  available  to  developers 
two  weeks  ago  at  our  f8  confer¬ 
ence,  and  will  be  mandatory  for 
all  developers  starting  June  1, 
requires  applications  to  specify 
the  exact  categories  of  informa¬ 
tion  they  wish  to  access,  present 
these  to  the  user,  and  obtain 
express  consent  before  any  data 
is  shared,”  Axten  said. 

-Joan  Coodchild 


CRITICAL  INFRASTRUCTURE 

EnergySec’s  Plan  to 
Keep  Power  Flowing 


Energy  companies  rely  on  IT 
infrastructure  more  than  ever,  and 
would-be  cyberterrorists  know  it 

Our  recent  article  on  MidAmerican  Energy 
Company’s  push  for  better  code  security 
( www.csoonline.com/article/594613 ) 
brought  home  the  dangers  energy 
companies  face  in  the  digital  age.  An  organiza¬ 
tion  called  EnergySec  hopes  to  build  a  rock-solid 
defense  against  whatever  may  come.  In  the 
following  interview,  EnergySec  directors  Seth 
Bromberger  and  Steven  Parker  describe  best 
practices  to  keep  our  power  flowing. 

Is  your  highest  priority  physical  threats  to 
energy  infrastructure  or  is  your  mission 
specifically  aimed  at  the  cyber  danger? 

Bromberger:  Our  members  come  primarily 
from  the  cyber-security  and  -risk  areas  within 
their  organizations,  but  we  do  discuss  physical 
threats,  especially  in  the  context  of  blended 
cyber-kinetic  attacks. 

What  are  some  common  security  best 
practices  that  have  been  developed 
through  everyone’s  collaboration  in  the 
organization? 

Bromberger:  These  recent  examples  should 
serve  to  highlight  the  benefits  of  exchang¬ 
ing  information  within  our  organization.  The 
Industrial  Control  Systems  Joint  Working  Group 
(ICSJWG)  is  a  public-private  consortium  of  secu¬ 
rity  professionals  from  several  sectors-man- 
ufacturing,  IT,  chemical,  energy  and  electricity, 
among  others-who  are  trying  to  determine  the 
best  way  to  secure  current  and  next-generation 
control  systems  for  these  sectors.  The  private 


part  of  the  ICSJWG  is  being 
managed  by  the  North  American 
Electric  Reliability  Corporation 
(NERC).  Our  secure  information¬ 
sharing  portal  is  being  used  by 
the  ICSJWG  to  coordinate  and 
exchange  information  within  and 
among  the  several  subgroups. 
Since  several  EnergySec  mem¬ 
bers  are  also  volunteering  on 
ICSJWG  subgroups,  it’s  a  very 
good  partnership  opportunity. 

Second,  a  couple  of  years 
ago  NERC  decided  that  it  would 
be  a  great  idea  to  leverage  industry  expertise 
when  evaluating  new  threat  and  vulnerability 
alerts  prior  to  formal  dissemination  to  their 
constituents.  Their  Hydra  program  is  designed 
to  muster  technical  expertise  on  a  moment’s 
notice  to  provide  rapid  technical  evaluation  of 
these  new  threats  and  vulnerabilities.  Energy¬ 
Sec  saw  an  opportunity  to  help,  and  now  hosts 
an  information-sharing  portal  for  Hydra  and 
provides  over  115  volunteers  to  the  effort. 

What  are  some  of  the  misconceptions  about 
threats  and  defenses  concerning  the  energy 
sector? 

Parker:  There  is  a  tendency  in  the  media  to 
portray  threats  against  the  bulk  electric  system 
as  imminent.  Although  an  attack  could  be 
attempted  at  any  time,  that  concern  is  really  in 
the  long  term  rather  than  the  immediate  future. 

Current  computer  crime  is  almost  exclusively 
financially  motivated.  Attacks  against  the  elec¬ 
tric  sector  will  not  be  so  motivated,  since  there 
is  no  easy  path  to  monetization,  and  an  attack 
against  critical  energy  infrastructure  would 
likely  be  met  with  an  extremely  aggressive 
government  response.  Security  in  this  sector 
is  critical  over  the  longterm  to  protect  against 
possible  terrorist  or  state-sponsored  attacks, 
not  petty  crimes. 

What  are  some  of  the  more  overlooked 
threats? 

Parker:  The  insider  threat  is  underappreci¬ 
ated.  The  electric  industry,  as  a  cooperative 
endeavor,  necessarily  relies  on  mutual  trust. 

This  creates  a  culture  where  the  possibility  of 
malfeasance  by  insiders  is  discounted. 

-Bill  Brenner 
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60%  OF  PRODUCTION  VIRTUAL  MACHINES 

ARE  LESS  SECURE  THAN  THEIR  PHYSICAL  COUNTERPARTS! 

THINK  CONVENTIONAL  SECURITY  CAN  PROTECT  YOUR  VIRTUAL  ENVIRONMENT? 


THINK  AGAIN. 

Enterprises  around  the  world  are  relying  on  virtualization  to  increase  data  center  efficiency  and,  unknowingly, 
leaving  themselves  more  vulnerable.  That's  because  conventional  security  isn't  able  to  protect  virtual  machines  or 
see  the  traffic  between  them  -  leaving  data  and  networks  exposed.  Which  is  why,  according  to  Gartner  Group,  in 
2009  sixty  percent  of  virtual  machines  are  less  secure  than  their  physical  counterparts.  But  with  Trend  Micro™ 
Enterprise  Security,  powered  by  the  Trend  Micro™  Smart  Protection  Network™  infrastructure,  you  can  mitigate  the 
risk  and  maximize  the  benefits  of  virtualization.  It's  a  different  kind  of  security  that  protects  your  physical  and 
virtualized  environments  and  helps  set  the  foundation  for  your  company  to  move  confidently  into  the  cloud. 


Learn  how  to  protect  your  virtualized  data  center. 

Download  the  Trend  Micro  eBook  at  trendmicro.com/thinkagain 


TREND 

MICRO 


©  2010  Trend  Micro  Inc.  All  rights  reserved.  Trend  Micro  and  the  t-ba!l  logo  are  trademarks  or  registered  trademarks  ot  Trend  Micro  Inc.  All  other  company  and/or  product  names  rriay-  be.  trademarks  or  registered 
trademarks  of  their  owners.  ‘Per  Gartner  Group  Vice  President  Neil  MacDonald;  as  quoted  in:  McLaughlin,  Laurianne;  "How  to  Find  and  Fix  10  Real  Security  Threats  on  Your  Virtual  Servers,"  CIO  Magazine,  14  Nov 
2007,  www.cio.com/article/print/lS4950  ’'Per Gartner  Group  Vice  PresiderA^JKDonatd7a^|uoteatn^Saffi^^fflra§  Virtualization  Ca0  Weaken  Security,"  On-Demand  Enterprise,  09  April  2007, 
http://www.bndemandertriipiise.con  ,  omhewire/gartner^rushjo.virtuujoation _can_weaken_security_07-29-2b08_08  jEJS-html 
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CODE  SECURITY 


SECURITY  WISDOM  WATCH 

Out  With 
the  Old,  In 
With  the  New 

THUMBS  UP:  Code  security: 

The  next  big  thing,  you  ask? 

True,  baking  security  into 
software  at  the  beginning  of  the 
development  process  is  an  old  con¬ 
cept.  But  it  IS  a  concept  that’s  finally 
catching  on. 

THUMBS  DOWN:  Windows  XP 
Service  Pack  2:  You  were  great 
in  your  day,  XP  SP2.  You  offered 
major  security  improvements 
and  propelled  Microsoft  into 
the  arena  of  respectable  security. 

But  you’ve  been  rendered  obsolete 
by  better,  more  secure  operating 
systems  such  as  Windows  7.  It’s  time 
we  said  goodbye. 

THUMBS  BOTH  WAYS:  BP: 

With  all  that  oil  gushing 
from  the  ocean  floor  in  the 
Gulf,  BP  has  become  every¬ 
one’s  favorite  punching 
bag.  But  if  this  tragedy  makes 
people  take  things  like  disaster 
recovery,  business  continuity  and 
alternative  energy  more  seriously, 
we  may  yet  find  ourselves  in  a  more 
secure  world. 

THUMBS  DOWN:  Terry  Childs: 
Holding  San  Francisco’s  IT  infra¬ 
structure  hostage  was  NOT  nice. 

Citizens  rely  on  that  infrastructure. 
No  Internet  for  you  in  that  jail  cell. 

THUMBS  BOTH  WAYS:  Consumer 
technology:  We’re  not  sure 
the  iPad  and  iPhone  were 
meant  to  be  used  as  enter¬ 
prise  work  tools,  but  since 
that’s  what’s  happening 
we’re  willing  to  go  along  for 
the  ride-as  long  as  the  right  security 
controls  are  in  place. 

-B.B. 


SAFECode  Report 
Highlights  Best  Practices 

The  report  sheds  light  on  what  companies  like  Adobe,  Juniper, 
EMC  and  Microsoft  are  doing  to  bake  security  into  their  code. 
Given  Adobe's  troubles,  the  process  remains  a  challenge. 

Anew  report  from  the  Software  Assurance  Forum  for  Excellence  in  Code 

(SAFECode)  sheds  new  light  on  how  vendors  are  trying  to  work  more  secure  cod¬ 
ing  into  their  product-development  processes. 

The  vendors  contributing  to  the  report  are  SAFECode  members  who  have 
enjoyed  some  success  in  reducing  the  frequency  of  attacks  against  their  technology, 
including  EMC,  Juniper  Networks,  SAP  and  Microsoft.  But  the  organization  also  includes 
companies  that  still  face  an  uphill  climb,  most  notably  Adobe  Systems.  (Also  read  “Code 
Security:  A  Survival  Guide”  at  http://www.csoonline.com/article/595180) 

Despite  its  efforts  to  write  more  ironclad  software,  Adobe  has  taken  heavy  criticism 
for  the  number  of  vulnerabilities  attackers  have  been  able  to  exploit.  Adobe  security 
chief  Brad  Arkin  admits  the  company  has  a  lot  of  work  to  do,  but  says  that  part  of  the 
problem  is  the  wide  attack  surface  that  comes  with  a  technology  almost  everyone  uses. 

It  may  be  impossible  to  produce  code  that’s  100  percent  secure,  acknowledges 
SAFECode  Executive  Director  Paul  Kurtz,  and  companies  will  always  deal  with  some 
vulnerability.  But,  he  says,  the  new  report  at  least  offers  a  road  map  other  companies 
can  use  to  improve  their  own  development  procedures. 

“Software  assurance  is  most  commonly  discussed  in  terms  of  security  engineering 
or,  in  other  words,  building  security  into  the  software  as  it  is  being  developed,”  he  says. 
“But  another  important  aspect  of  assurance  is  securing  the  supply  chain  processes  for 
software  sourcing,  development  and  distribution  to  protect  the  integrity  of  delivered 
software.” 

SAFECode’s  latest  paper  deals  specifically  with  what  happens  to  software  after  it  is 
developed.  The  research  represents  the  first  industry-led  effort  to  identify  and  analyze 
the  software  integrity  controls  used  by  vendors  to  protect  their  products  from  attempts 
to  insert  vulnerabilities  as  they  move  along  the  global  supply  chain,  Kurtz  says.  Among 
the  steps  SAFECode  members  recommend  taking  to  improve  security  are: 

■  Inserting  stronger  language  in  vendor 
contracts.  Agreements  should  include  the 
responsibilities  and  expectations  of  vendors 
and  suppliers.  Contracts  “must  explicitly 
state  the  expectations  as  well  as  the  con¬ 
sequences  of  any  non-compliance  with  the 
terms  of  the  agreement,”  the  report  says. 
■Adding  vendor  technical  integrity 
controls  for  suppliers.  These  should 
address  the  secure  transfer  of  code,  sharing 
of  system  and  network  resources,  malware  scanning  and  secure  storage. 

■  Conducting  more  rigorous  security  testing,  including  the  more  widespread  use  of 
tools  that  perform  static  code  analysis,  binary  code  analysis,  and  security  compli¬ 
ance  validation,  as  well  as  network  and  web  application  vulnerability  scanners  and 
malware-detection  tools  that  can  discover  such  problems  as  backdoor  holes. 

The  report  reflects  a  growing  trend  in  the  infosec  community  toward  relying  less  on 
bolt-on  defenses  and  more  on  well-written  code.  The  code  security  trend  is  reflected  in 
the  rugged  software  movement,  the  Building  Security  In  Maturity  Model,  Microsoft’s 
Security  Development  Lifecycle,  the  growth  of  the  Open  Web  Application  Security 
Project,  and  the  emergence  of  new  secure  application  development  certifications  such 
as  the  CSSLPfrom  ISC2. 

-B.B. 
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Convenience  meets  Security 
at  the  desktop. 


Whether  your  organization  needs  a  contact  smart  card  for  secure 
log-in,  digital  signature  or  secure  remote  access,  or  you  require  the  most 
convenient  two-factor  authentication  solution,  HID  Global’s  OMNIKEY®  contact  and 
contactless  smart  card  readers  provide  a  fast  and  reliable  solution.  Compliant  with  industry 
standards,  OMNIKEY  contact  and  contactless  readers  are  compatible  with  virtually  any  smart 
card,  any  operating  system  and  a  variety  of  applications.  Available  in  numerous  form  factors, 
OMNIKEY  readers  offer  a  risk-appropriate  choice  for  any  organization. 


For  information  on  HID  Global’s  innovative  line  of  smart  card  readers,  visit  hidglobal.com/smartcard/CSO 
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EVENT  SECURITY 

World  Cup:  Preparing  for  the  Unexpected 


Security  veteran  Bill  Besse  details 
the  complex  planning  that  goes 
into  protecting  a  client  at  the 
world’s  largest  sporting  event 

The  FIFA  World  Cup  games  kicked  off  June 
11  in  South  Africa.  One  of  the  largest 
sporting  events  in  the  world,  it  typically 
features  multiple  games  occurring  across 
numerous  cities,  posing  myriad  logistical 
and  communication  challenges  in  an  already 
volatile,  high-crime  area. 

So  what’s  the  biggest  challenge  in  protect¬ 
ing  World  Cup  attendees?  Bill  Besse  says  it’s 
probably  not  what  you  think. 

Besse  is  vice  president  of  consulting  and 
investigations  at  security  and  risk  mitigation 
company  Andrews  International.  He  is  also 
the  former  CSO  of  Belo,  and  he  played  a  role 
in  security  planning  for  the  Athens,  Torino  and 
Beijing  Olympics.  Besse  is  now  spearhead¬ 
ing  efforts  for  a  large  Andrews  client  who  is 
attending  the  World  Cup  and  hosting  events 
throughout  the  month.  Besse  spoke  with 
CSO  about  the  issues  surrounding  plans  for 
client  security  and  the  unexpected  event  that 
concerns  him  most. 

CSO:  You’re  involved  with  the  security 
arrangements  for  a  large  client  who  is 
participating  in  some  way  in  the  World  Cup. 
What  kind  of  work  have  you  been  doing  to 
prepare  for  the  event? 

Besse:  Preparations  started  over  a  year 
ago  when  the  client  did  an  event  in  Istanbul, 
Turkey.  Part  of  the  event  was  moving  the  World 
Cup  trophy  from  its  home  in  Zurich,  Switzer¬ 
land,  to  a  special  event  being  hosted  by  this 
client  in  Istanbul. 

Amazingly,  the  logistics  of  moving  that 
sports  icon,  one  of  the  most  recognized  sports 
icons  on  the  face  of  the  Earth,  was  complex. 
Outside  of  the  United  States,  people  want 
to  see  it,  touch  it.  Moving  it  became  more 
complex  than  we  thought  it  was  going  to  be.  It 
travels  and  people  travel  with  it.  It  has  its  own 
special  case  and  rules  about  how  it  is  to  be 
secured  and  stored. 

Our  client  is  deeply  involved  in  the  World 
Cup  and  we  have  been  helping  them  plan  the 
logistics  for  having  a  large  number  of  people, 
either  within  their  organization  or  associated 


with  it,  travel  to  South  Africa  from  all  over 
the  world  to  attend  the  World  Cup,  which  is  a 
monthlong  event. 

In  contrast  to  the  Super  Bowl-which 
is  certainly  a  world  event,  but  it’s  a  week 
and  involves  two  teams-the  World  Cup  is 
a  month  and  involves  32  teams  at  12  or  13 
stadiums.  Some  of  these  venues  have  a  nearly 
100,000-person  capacity.  When  you  put  the 
events  side  by  side,  the  World  Cup  is  the 
largest  sporting  event  that  exists  right  now. 

It  has  some  complexities  involving  security 
and  logistics  and  moving  people  and  securing 
really  the  entire  country,  which  is  sort  of 
unstable  in  spots  to  begin  with. 

So  what  is  your  biggest  challenge  when  it 
comes  to  security  at  the  event?  What’s  top- 
of-mind  in  the  planning? 

We  can  talk  about  all  of  these  sexy  things 
like  terrorism  and  street  crime  and  so  forth. 
But  when  you  have  a  large  number  of  people 
you  need  to  protect,  as  we  do  with  our  client, 
my  experience  tells  me  when  you  get  a  few 
hundred  or  a  few  thousand  people  together 
in  an  emotionally  charged  environment,  and 
they’ve  been  traveling,  and  there  is  all  sorts 
of  excitement,  they  are  tired.  A  medical 
emergency  is  one  of  the  most  pressing  events 
that  can  occur. 


What  we  found  out  in  South  Africa  is  there 
are  some  hospitals  there  that  you  don’t  want 
to  be  receiving  critical  medical  care  in.  This 
particular  client  and  a  lot  of  the  larger  spon¬ 
sors  of  this  will  arrange  to  have  their  own 
emergency  medical  care  available.  In  the  plan¬ 
ning  for  the  World  Cup,  security  at  each  venue 
is  designed  in  layers.  In  looking  at  diagrams, 
and  in  talking  to  people  involved,  they  actually 
have  in  most  venues  these  hard-wall  perim¬ 
eters  built  around  zones  of  protection  leading 
up  to  access  to  the  stadiums. 

The  World  Cup  organizing  committee  there 
has  its  own  emergency  medical  care  arranged 
and  it  is  going  to  allow  first  aid  and  emergency 
medical  services  access.  But  if  you  have  a 
sponsor  group  there  with  a  few  hundred 
people  and  you  have  an  emergency,  you  may 
not  want  the  government’s  emergency  medi¬ 
cal  care.  You  may  want  your  own  care  that 
you’ve  arranged  through  a  contractor,  like 
SOS  International,  because  it’s  higher  quality 
and  you  can  choose  which  hospital  you’re 
transported  to,  versus  having  the  government 
make  that  decision. 

This  is  a  critical  issue  that  needs  to  be 
resolved.  And  usually  the  way  these  things 
are  resolved  is  through  a  lot  of  good  advance 
planning. 

-J.G. 
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Setting  the  Gold  Standard 
for  the  Trade  Show  Industry 


%  challenges  head-on  at  ASIS  2010, 
curity  event  for  everything  you  need 


FEATURING 


Chesley  B. 
Sullenberger  III 

Captain 

‘Miracle  on  the  Hudson 


Your  search  for  the  latest,  most  advanced,  and  profit  building 
security  products  and  services  begins  and  ends  at  ASIS  2010. 
See,  test,  and  compare  innovative  offerings  from  more  than 
700  leading  companies,  and  find  end-to-end  solutions  from  the 
entire  security  spectrum.  Come  to  experience  in-depth,  on-floor 
presentations  in  the  Solutions  Theater,  or  spend  time  exploring 
security’s  best  and  brightest  in  the  ASIS  Accolades  showcase. 
Exhibits-only  registration  is  FREE  in  advance! 


President  Pervez 
Musharraf 

President  of  Pakistan 
(2001-2008) 

Chief  Executive  of  Pakistan 
(1999-2001) 


Register  now  for  ASIS  201 0,  the  one  destination  trusted  by  top 
security  professionals  worldwide.  And  the  one  event  you  need 
to  attend  this  year.  For  more  information  visit  www.asis2010.org 
or  call  +1 .703.51 9.6200. 
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>>  BRIEFING 


MOBILE  SECURITY 

FBI  Investigates  Leak 
of  iPad  User  Data 

Hackers  gained  access  to  an  estimated  114,000  e-mail  addresses 

The  FBI  has  opened  an  investigation  into  the  release  of  an  estimated  114,000  e-maii 
addresses  registered  to  Apple  iPad  users. 

Hackers  belonging  to  a  group  called  Goatse  Security  obtained  the  addresses  after  uncov¬ 
ering  a  Web  application  on  AT&T’s  website  that  returned  an  iPad  user’s  e-mail  address  when 
it  was  sent  specially  written  queries.  They  wrote  an  automated  script  that  repeatedly  queried  the 
app,  then  downloaded  the  addresses  and  handed  them  over  to  Gawker.com. 

Now  the  FBI  is  trying  to  figure  out  whether  this  was  a  crime.  “The  FBI  is  aware  of  these 
possible  computer  intrusions  and  has  opened  an  investigation  into  addressing  the  potential 
cyberthreat,’’  said  Lindsay  Godwin,  an  FBI  spokeswoman. 

The  investigation  was 
opened  Thursday  by  the  FBI’s 
Washington  field  office,  she 
said.  Godwin  did  not  know 
if  the  investigation  was 
opened  at  the  request  of 
Apple  or  AT&T.  AT&T  declined 
to  comment,  and  Apple  has 
not  replied  to  requests  for 
comment. 

According  to  Gawker, 
Goatse  hackers  were  able  to 
download  e-mail  addresses 
belonging  to  White  House 
Chief  of  Staff  Rahm  Emanuel, 
New  York  Mayor  Michael 
Bloomberg  and  ABC  News 
anchor  Diane  Sawyer.  They 
also  gained  access  to 
addresses  belonging  to 
employees  of  Google,  Ama¬ 
zon,  Microsoft  and  the  U.S. 
military. 

The  hackers  did  this  by 
guessing  thousands  of  unique 
numbers-called  Integrated 
Circuit  Card  Identifiers— 
belonging  to  iPad  users  and 
feeding  them  into  the  AT&T 
website. 

Accessing  computers 
without  authorization  is  ille¬ 
gal,  but  it  is  unclear  whether 
the  script  that  the  Goatse  group  used  violated  the  law,  said  Jennifer  Granick,  civil  liberties  director 
with  the  Electronic  Frontier  Foundation.  “The  question  is,  when  you  do  an  automated  test  like  this, 
[are  you]  getting  any  type  of  unauthorized  access  or  not?”  she  said. 

If  it  turns  out  the  data  in  question  was  not  misused,  it  is  unlikely  that  federal  prosecutors  will 
press  charges,  she  added.  -Robert  McMillan 


BY  THE  NUMBERS 

114,000 

Apple  iPad  user 
e-mail  addresses 
reportedly  leaked 
in  early  June 

o 

Security  patches  for 
Internet  Explorer  on 
Windows  XP  Service 
Pack  2  machines  that 
Microsoft  wi  I  i  release 
after  July  13, 2010 

7,000 to 
114,000 

Websites 

compromised  in  a 
widespread  attack 
last  month.  Victims 
included  the  Wall 
Street  Journal  and 
Jerusalem  Post. 


5 


Years  former 
San  Francisco  IT 
administrator  Terry 
Childs  could  spend  in 
prison  for  blocking 
access  to  the  city’s 
FiberWAN  network  for 
several  days  in  2008 
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Alta  Associates’ 

Executive 
Women’s  Forum 

Information  Security ;  Risk  Management  &  Privacy 


October  20-22,  201 0  Hyatt  Regency  at  Gainey  Ranch  Scottsdale,  AZ 


Manage  Risk  and  Drive  Innovation 


ROI: 


The  8th  annual  Executive  Women's  Forum  brings  together  more  than  200  women  of  influence, 
power  and  intelligence  who  are  leading  experts  in  their  field  Hosted  by  Alta  Associates,  Inc. 


•  Earn  17  CPE  Credits 

•  Build  a  Network  of  the  Most  Dynamic  Women  in  Our  Industry 

•  Take  Home  Tools,  Templates  &  Solutions  to  Achieve  Success 

•  Expand  Your  Expertise  &  Capabilities 


Panels  Include: 

•  Master  Class— Cloud  Computing  &  Access  and  Identity  Management 


Workshop  developing  decision  making  skills  on  choosing  to  leverage  the  cloud  or  your  own 
internal  resources 

•  Transforming  Risk  &  Security  Services  from  “Cost-Center”  to  “Profit  and 
Revenue-Enabling  Center”  Learn  how  risk  and  security  managers  use  technology  as  a 
differentiator  to  promote  customer  confidence  and  drive  revenue 

•  Data  Protection:  Regulatory  and  Privacy  Challenges  Regulators  and  privacy 
experts  reveal  impacts  and  implications  of  regulations  and  compliance  related  to  data  protection 


Women  of  Influence  Awards 

Nominate  your  peers,  clients  and  customers  for  the 
Women  of  Influence  Awards.  Co  presented  by  CSO 
Magazine  and  Alta  Associates,  the  awards  honor  four 
women  for  their  accomplishments  and  leadership 
roles  in  the  fields  of  security,  risk  management  and 
privacy. 

Winners  will  be  announced  at  an  awards  ceremony 
during  the  EWF  event. 

NOMINATION  FORM  AVAILABLE  AT: 

www.ewf-usa.com 

Must  be  submitted  by  August  31,2010 


MEDIA  SPONSOR 
&  AWARDS 

co-presenter: 

CSO 


FORUM  HOST 
&  AWARDS 

co-presenter: 


DIAMOND  SPONSORS 


Symantec, 


•  Information  Security,  Privacy  &  Risk  Management:  From  Research  to  Practice 

Academic  and  research  thought  leaders  showcase  cutting  edge  solutions  and  their  implications 
to  industry  practice 

•  Social  Networking  2.0:  Privacy  Implications  for  Individuals  and  Industry 

Social  networking  and  privacy  experts  discuss  emerging  privacy  considerations  of  the  intersection 
between  social  networking,  targeted  advertising,  and  the  unintended  picture  it  can  paint 


ca 

technologies 


•  • 

ini 

Information  Networking  Institute 

Carnegie  Mellon 


•  Balancing  Risk  with  Innovation  Innovation  creates  risk  as  do  new  technologies.  Discover 
ways  to  leverage  emerging  technologies  while  managing  the  risky  business  of  innovation. 


Microsoft 


For  more  information  on  the  EWF  or  to  register,  please  visit:  www.ewf-usa.com 


By  Neil  Roiter 


Torture  Testing  Your  Network 


High-power  tools  help  determine  if  your  security  devices,  networking 
equipment  and  applications  stand  up  under  a  melange  of  protocols, 
converged  services,  multigigabit  traffic,  attacks  and  malformed  packets 


Contemporary  IT  infrastruc¬ 
ture  and  applications  operate 
in  an  extreme  environment 
barely  envisioned  a  decade 
ago,  pushing  networks  to  the 
limit  and  challenging  the  security  industry 
to  keep  pace. 

A  handful  of  high-end  testing  products 
have  had  to  evolve  quickly  to  meet  those 
challenges  and  evaluate  how  network  and 
security  devices  perform  under  stress,  and 
isolate  and  repair  flaws. 

Here’s  why,  in  a  nutshell:  Service 
provider  and  enterprise  networks  are 
performance-challenged,  being  called 
upon  to  support  enormous  high-speed 
traffic  loads.  That  traffic  is  increasingly 
complex,  comprising  a  growing  array  of 
protocols  and  applications  supporting  con¬ 
verged  IP  services— voice,  video,  data— and 
performance-sensitive  online  transactions. 
Throw  in  plenty  of  malicious-attack  traffic 
and  see  how  networks,  network  devices 
and  network-based  security  products,  from 
firewalls  to  intrusion-prevention  systems 
(IPS),  perform  under  stress. 

How  do  carriers  know  if  their  infra¬ 
structure  will  support  their  service-level 
agreements  with  demanding  enterprise 
customers?  How  do  enterprises  know  if 
their  networks  and  data  centers  can  sup¬ 
port  their  business  requirements  and 
whether  their  network  and  security  ven¬ 
dors’  gear  is  really  up  to  the  job?  And  how 


do  network  and  security  vendors  know  that 
their  products  can  deliver  what  they  claim 
in  their  data  sheets? 

In  this  Toolbox,  we’ll  explain  how  prod¬ 
ucts  from  BreakingPoint  Systems,  Ixia,  Mu 
Dynamics  and  Spirent  Communications 
can  be  used  to  test  networking  and  security 
gear  and  the  applications  they  support  to  the 


limit,  and  how  different  types  of  organiza¬ 
tions  can  leverage  their  unique  capabilities. 

The  Market 

These  are  very  expensive  products  that 
require  permanent  test-lab  facilities  and 
dedicated,  expert  staffing  to  deliver  their 
full  benefit. 
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Announcing: 


THE 

SECURITY 

STANDARD 


TM 


September  13-14, 2010 

Marriott  Brooklyn  Bridge  |  New  York,  New  York 

FEATURING  DIGITALiWORLD 


icinm 


This  is  the  most  important  security  event  you’ll  attend  in  2010. 

With  an  information-packed  agenda  -  including  a  dedicated  Digital  ID  World  track  -  you’ll 
gain  real-world  insight  into  how  business  leaders  are  winning  against  today’s  security  and 
compliance  challenges. 

>►  Learn  how  to  achieve  business  and  competitive  advantage  by  embracing  new  advances  in 
information  security 

>  Network  with  some  of  the  most  influential  business  and  IT  security  leaders  from  across  the  nation 

>  Be  one  of  the  first  to  see  results  revealed  from  a  groundbreaking  2011  Global  State  of  Information  Security 
Survey,  conducted  by  CSO  magazine  and  PricewaterhouseCoopers 

Featured  Speakers  Include:  Senior  IT  security  executives  from  MasterCard,  ADP,  the  U.S.  Cyber  Consequences 
Unit,  Ogilvy  &  Mather  Worldwide,  McKesson  Corp.,  ITT,  Bank  of  China/NY  and  Thomson  Reuters 

Register  now  for  the  early-bird  rate  at  WWW.thesecuritystandard.net/nyc2010ad  to  join  CSO  and 
senior-level  IT  security  executives  at  this  critically  important  IT  security  event. 


Sponsored  by  Deloitte 


Produced  by 


The  Security  Division  of  EMC 


CSO 


BUSINESS  RISK  LEADERSHIP 


Sponsorship  Opportunities  Are  Available  ^he  Security  standard  attracts  a  powerful  and  influential  audience  of  security  decision  makers. 

For  Sponsor  Opportunities,  contact  Per  Melker  at  508.935.4729  or  e-mail  pmelker@cxo.com. 


>>  TOOLBOX 


Historically,  the  market  has  focused 
primarily  on  network  equipment  manufac¬ 
turers  and  large  service  providers.  Ixia  and 
Spirent,  which  have  specialized  in  generat¬ 
ing  heavy  traffic,  have  dominated  in  testing 
load-bearing  capabilities  in  the  lower  layers 
of  the  Open  System  Interconnection  (OSI) 
stack. 

The  market  has  grown  broader  as 
the  traffic  mix  has  grown  more  complex, 
adding  more  and  more  protocols,  high- 
performance  applications,  and  attack  traf¬ 
fic.  Security  vendors  are  important  buyers 
now,  and  some  government  agencies  “look 
a  lot  like  a  carrier  or  service  provider,”  says 
Elisabeth  Rainge,  IDC  program  director  for 
network  software. 

Security-sensitive  agencies,  especially 
in  defense  and  cybersecurity,  are  also  good 
customers,  especially  for  those  products 
emphasizing  security. 

Mu  and  BreakingPoint  have  entered 
the  competition  in  recent  years,  emphasiz¬ 
ing  power  security  and  application  testing. 
Ixia  and  Spirent,  which  are  well  known  for 
load  testing,  are  moving  up  the  stack  as 
well,  augmenting  application  and  security 
capabilities. 

In  general,  Rainge  says,  telecommu¬ 
nications  companies  and  network  equip¬ 
ment  providers  tend  to  still  be  focused  on 
performance— though  there  are,  of  course, 
exceptions— while  enterprises  and  service 
providers  with  a  strong  IT  heritage  tend 
to  focus  more  on  the  application  layers,  in 
addition  to  security. 

“If  you’re  coming  from  an  IT  perspective 
as  opposed  to  telecom  or  network,  you’re 
thinking  more  in  terms  of  what  application 
is  involved  or  what  is  the  end-user  experi¬ 
ence  or  how  is  this  technology  fitting  with 
how  our  business  is  really  doing,”  she  says. 
“You  don’t  necessarily  have  end-use  case  in 
mind;  there’s  a  reasonable  chance  you’re 
looking  at  the  network  as  more  of  a  dumb 
pipe.  It’s  performance  rather  than  what 
kind  of  business  a  company  is  in.” 

Very  large  enterprises  are  becoming 
more  important  as  customers.  The  enter¬ 
prise  buyers  are  generally  large  financial 
institutions— which  can  lose  millions  of 
dollars  in  an  hour’s  downtime— and  very 
large,  complex  companies. 

But  potential  enterprise  buyers  are  a 
relatively  short  list  of  large  organizations 
that  have  the  money,  talent  and  commit¬ 


ment  to  testing  to  justify  the  purchase. 

“Very  high-end  enterprises,  major  finan¬ 
cials,  anyone  where  it’s  mission-critical  and 
not  running  standard  traffic— guys  like  an 
eBay  and  Amazon— are  a  good  fit  for  these 
kinds  of  tools,”  says  Vik  Phatak,  chairman 
and  CTO  at  NSS  Labs.  “Start  talking  lower 
than  that,  and  it  becomes  problematic.  Cost 
justification  doesn’t  make  sense.  They’re 
expensive  and  complicated.” 

Sorting  Out  the  Tools 

The  common  denominator  among  these 
four  companies’  products  is  that  they  are 
iibertools  designed  to  throw  a  phenom¬ 
enal  volume  and/or  assortment  of  traf¬ 
fic  at  the  target  systems.  To  some  extent, 
they’re  competitors;  in  some  cases,  they’re 
complementary. 

“Mu  is  more  about  security.  Breaking- 
Point  is  aligned  with  security  but  leans  a  lit¬ 
tle  more  toward  the  network  conversation,” 
says  Rainge.  “Ixia  and  Spirent  are  casually 
referred  to  as  ‘packet  blasters’;  that’s  a  very 
casual  way  to  refer  to  load  generation.  As 
companies,  they  are  competitors.” 

Ixia  and  Spirent  have  the  longer  pedi¬ 
grees  and  are  especially  well  known  for 
load-testing  networking  equipment. 

Spirent’s  Avalanche,  which  focuses  on 
testing  the  capacity,  performance  and  secu¬ 


rity  of  Layers  4  through  7,  is  available  on  its 
own  or  on  Spirent’s  flagship  network  test¬ 
ing  platform,  TestCenter.  Its  primary  secu¬ 
rity  capability  is  vulnerability  assessment, 
testing  for  thousands  of  known  attacks  and 
variants  under  a  heavy  application  load  of 
normal  and  malicious  traffic. 

Spirent  recently  released  Avalanche 
Virtual,  which  can  be  loaded  as  a  virtual 
instance  to  test  the  performance  and 
security  of  virtual  network  and  security 
appliances. 

Ixia  is  expanding  its  security  testing, 
incorporating  and  beefing  up  what  has 


been  a  separate  IxDefend  product  into 
IxLoad,  which  is  used  for  testing  converged 
services  and  application  delivery  platforms. 
According  to  Ixia,  the  enhanced  capabilities, 
which  were  scheduled  for  release  in  June, 
replace  IxDefend,  a  Nessus-based  vulnera¬ 
bility  assessment  product,  with  some  6,000 
different  vulnerabilities  and  dozens  of  eva¬ 
sion  techniques  that  can  be  thrown  at  the 
target  device  under  heavy  traffic  loads. 

Mu  is  a  very  different  sort  of  product.  It 
can  design  and  launch  an  endless  variety 
of  attack  and  malformed  traffic  at  its  target. 
Mu  uses  its  fuzzing  technology  on  packet 
captures  from  the  customer  network  to 
produce  unpredictable  and  unexpected 
traffic  for  both  functional  and  security 
testing,  so  the  test  traffic  reflects  the  envi¬ 
ronment  in  which  the  tested  device  will 
work.  Users  can  develop  their  own  tests 
and  leverage  test  profiles  from  the  Mu  user 
community  and  Mu’s  own  library.  Where 
Ixia  and  Spirent  torture  systems  under  an 
incredible  volume  of  traffic,  Mu  tortures 
them  with  the  sheer  variety  of  possible  traf¬ 
fic  permutations. 

For  that  reason,  it’s  not  unusual  for  Mu 
to  be  used  together  with  Ixia  or  Spirent.  In 
fact,  the  Mu  website  includes  instructions 
for  integrating  Ixia  and  Spirent,  so  users 
can  deliver  Mu’s  smorgasbord  of  traffic 


under  real-world  loads.  That  may  be  an 
attractive  option  for  organizations  that  are 
already  heavily  invested  in  Ixia  or  Spirent 
but  like  Mu’s  application  and  security 
technology. 

BreakingPoint’s  Storm  Cyber  Tomogra¬ 
phy  Machine  appliance  combines  higher- 
layer  testing  and  load  tolerance,  generating 
high  volumes  of  stateful  application  traffic. 
It  blends  legitimate  types  of  traffic  from 
some  140  global  applications,  from  Oracle 
database  traffic  to  Skype  to  World  of  War- 
craft,  with  a  library  of  about  4,500  known 
attacks  and  80  evasion  techniques.  It  also 


Throw  in  plenty  of  malicious-attack 
traffic  and  see  how  networks,  network 
devices  and  network-based  security  products, 
from  firewalls  to  intrusion-prevention 
systems,  perform  under  stress. 
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uses  fuzzing  techniques  to  stress  systems. 

“Mu  excels  in  the  mutation  part  and 
fuzzing;  it’s  really  good  at  simulating  both 
traffic  and  in  its  fuzzing  capability.  They 
do  a  little  better  than  BreakingPoint,”  says 
Avishai  Avivi,  senior  director  of  high-end 
security  and  services  at  Juniper  Networks, 
which  uses  both  products.  “But  MU  doesn’t 
have  scale  and  ability  to  test  networks  at  the 
speed  we  need  them.” 

Juniper  also  uses  Ixia  and  Spirent  prod¬ 
ucts  for  network  testing  lower  on  the  OSI 
stack. 

Use  Cases 

These  tools  have  a  number  of  use  cases 
for  vendors,  service  providers  and  large 
enterprises. 

Network  equipment  testing.  Network 


equipment  vendors  have  long  used  Ixia  and 
Spirent,  in  particular,  to  test  networking 
equipment  before  it’s  released  on  the  mar¬ 
ket.  The  emphasis  is  on  performance  under 
load,  incorporating  a  wide  range  of  network 
and  higher  layers  to  approach  contempo¬ 
rary  network  conditions. 

Security  product  testing.  Security 
vendors  are  now  using  them  as  well,  to  test 
their  products’  detection  capabilities  under 
stress. 

“Security-testing  devices  don’t  tradi¬ 
tionally  measure  performance,”  says  Avivi, 
who  uses  BreakingPoint  to  test  Juniper’s 
SRX  Series  Services  Gateway  appliances. 
“We  started  with  BreakingPoint  because  of 
security  and  very  quickly  learned  it  could 
help  us  do  stress  testing  under  real  traffic 
conditions.” 

Vendor  evaluation.  Both  service  pro¬ 
viders  and  large  enterprises  will  use  these 
tools  in  vendor  evaluation,  either  on  a  case- 
by-case  basis  or  in  a  bake-off  among,  say, 
three  IPS  vendors.  They  might  test  for  per¬ 
formance  or  the  ability  to  detect  attacks,  or 
both.  It’s  no  secret  that  intrusion-preven¬ 
tion  vendors  struggle  at  times  to  avoid  cre¬ 
ating  a  bottleneck  if  performance  begins  to 


lag  while  still  providing  the  ability  to  detect 
attacks  and  evasion  techniques. 

“Vendors  are  not  testing  as  rigorously 
as  should  be,  especially  from  a  security 
standpoint,”  says  NSS  Labs’  Phatak.  “Per¬ 
formance,  they  tend  to  get;  security,  not  so 
much.  Part  of  it  is  that  people  can  see  when 
something  slows  down,  but  they  don’t 
know  if  the  IPS  misses  something.” 

In  addition  to  making  purchasing  deci¬ 
sions,  organizations  can  test  before  they 
buy  to  detect  flaws  they  want  the  vendor 
to  fix. 

Data  centers.  Large  organizations 
can  test  performance  and  security  for  data 
center  upgrades,  creation,  expansion  or, 
increasingly,  consolidation  to  take  advan¬ 
tage  of  virtualization. 

New  and  upgraded  applications. 


These  tools  can  be  valuable  for  performance, 
security  and  interoperability.  Organiza¬ 
tions  will  want  to  see  how  new  or  modified 
applications  will  behave  on  their  networks: 
Will  they  be  stable?  Will  they  create  prob¬ 
lems  for  other  applications?  Will  perfor¬ 
mance  degrade? 

“Say  you  know  that  you  need  to  support 
20,000  customers  per  hour  and  know  how 
they  behave— how  many  transactions  per 
second,  certain  types  of  traffic,  maintain¬ 
ing  state,”  says  Phatak.  “These  tools  can 
replicate  that.  If  performance  goes  down  to 
18,000  customers  per  hour,  you  may  need 
to  add  servers;  or  maybe  you  can  now  do 
25,000  and  can  scale  back.” 

Virtualization.  Virtualization  reduces 
equipment  costs,  power  consumption, 
space  requirements  and  management 
overhead.  But  right-sizing  the  number  of 
virtual  machines  and  types  of  applications 
on  a  particular  physical  host  gets  tricky. 
Phatak  notes  that  virtualization  vendors 
tend  to  talk  about  capacity  in  terms  of  the 
number  of  VMs  you  can  install  on  a  box, 
but  not  the  amount  of  work  it  can  actually 
support.  Power  testing  tools  allow  you  to 
evaluate  the  performance  of  combinations 


of  servers  and  their  applications  on  a  par¬ 
ticular  server. 

Cloud  services.  Organizations  can  use 
these  products  to  evaluate  the  provider  SLA 
against  actual  performance  for  their  users, 
or  test  in  advance  to  determine  the  level  of 
services  they  need  to  purchase. 

Consulting  and  integration  services. 
Consultants  can  evaluate  prospective  prod¬ 
ucts  for  their  clients;  integrators  and  IT 
architecture  service  providers  can  test  their 
planned  and  implemented  projects. 

“In  some  cases,  we  test  new  services  for 
clients,  or  new  software  they’ve  written  in- 
house,  before  going  into  production,  to  see  if 
it  can  hold  up,”  says  Ed  Skoudis,  a  founder 
and  senior  security  consultant  at  InGuard- 
ians,  which  uses  Mu  products.  “Humans 
can  focus  on  desired  business  functionality 
and  look  for  strange  cases  of  business  logic 
errors.  Mu  can  automate  security  testing  by 
throwing  a  lot  of  garbage,  known  attacks 
and  custom  attacks.” 

Specialized  testing.  Mu,  in  particular 
is  valuable  for  crafting  and  delivering  traf¬ 
fic  to  test  particular  environments. 

For  example,  it’s  being  used  to  test  secu¬ 
rity  products— network  firewalls,  intrusion 
detection  and  prevention,  application  fire¬ 
walls— for  IPv6  certification  at  the  Univer¬ 
sity  of  New  Hampshire’s  Interoperability 
Laboratory. 

“Otherwise,  we  would  have  to  create  our 
own  test  infrastructure  and  create  all  these 
vulnerability  attacks  and  traffic  patterns,” 
said  Tim  Winters,  a  senior  manager  at  the 
lab.  “You  could  send  one  packet  and  trig¬ 
ger  on  it,  but  to  do  a  whole  stream  or  whole 
stateful  firewall  is  much  more  complicated, 
and  it’s  a  lot  easier  to  have  an  off-the-shelf 
solution  we  can  manipulate.” 

And  InGuardians  is  using  it  to  test  smart 
grid  equipment. 

“We  created  some  test  tools,”  Skoudis 
says.  “We’ll  use  Mu  to  generate  traffic  and 
our  tools  to  deliver  it  to  the  targets— smart 
meters,  SCADA  systems,  stuff  that’s  in  the 
grid.” 

Do’s  and  Don’ts 

These  tools  are  not  for  the  underfunded,  the 
underskilled  or  the  faint  of  heart.  Consider 
them  carefully  before  deciding  whether  to 
purchase  them  or  how  to  use  them. 

DO  consider  how  often  the  tools  will  be 
used  and  in  what  ways.  They  are  expensive 


Consider  consulting  services  that 
use  one  or  more  of  these  tools  to  help 
with  vendor  evaluation,  cloud  services 
performance,  and  new-application  testing. 
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to  buy  and  support.  Make  sure  the  use  justi¬ 
fies  the  expense. 

DO  get  full  and  accurate  informa¬ 
tion  on  the  application  and  protocol  mix 
to  be  sure  you  create  a  representative  test 
environment. 

DON’T  assume  you  know  what  your 
performance  requirements  are  for  the  new 
application,  security  device  or  network. 

DO  engage  security,  network  and  busi¬ 
ness  managers  to  determine  current  and 
projected  requirements  so  you  understand 
what  needs  to  be  tested. 

DON’T  buy  what  you  can’t  support.  If 
an  enterprise  doesn’t  already  have  a  dedi¬ 
cated  lab  and  supporting  staff  to  test  new 
equipment  and  applications,  it  won’t  be 
able  to  get  much  benefit  out  of  any  of  these 
products.  They  can  make  an  existing  test¬ 
ing  infrastructure  more  robust,  but  can’t 
create  a  useful  lab  by  themselves. 

DO  consider  consulting  services  that 
use  one  or  more  of  these  tools  to  help  with 
vendor  evaluation,  cloud  services  perfor¬ 


mance,  new  application  testing,  etc.  Even 
if  you  can’t  justify  purchase  and  support 
costs,  you  can  still  leverage  their  services. 

DO  understand  the  differences  between 
products.  One  product  may  not  satisfy  cor¬ 
porate  IT  testing  requirements.  Are  you 
concerned  about  performance  testing  (up 
to  Layer  4  or  up  to  and  including  the  appli¬ 
cation  layer),  security  testing  or  both?  You 
may  find  that  you  need  to  purchase  and 
support  two  or  even  three  of  these  prod¬ 
ucts— and  that  may  drastically  change  your 
plans. 

DO  evaluate  reporting  and  remediation 
capabilities.  How  does  the  tool  report  test 
results?  Is  it  good  at  comparing  test  results 
and  pinpointing  the  problems,  or  will  staff 
have  to  sift  through  results  and  do  manual 
comparisons?  The  product  should  facili¬ 
tate  regression  testing  and  provide  capture 
replays. 

“Capture  replay  is  pretty  high  on  the  list 
from  a  troubleshooting  perspective,”  says 
Phatak.  “One  of  the  first  things  that  is  going 


to  happen  is  the  developers  will  say,  ‘Show 
me  the  traffic.’” 

DON’T  underestimate  training.  These 
are  complex  tools  that  require  operation  by 
highly  trained,  highly  skilled  personnel  for 
you  to  get  their  full  benefit. 

DON’T  neglect  penetration  testing. 
The  products  have  great  value  but  are  not  a 
substitute  for  systematic  penetration  test¬ 
ing  using  attack  tools,  including  Metasploit, 
Canvas  from  Immunity,  or  Core  Impact 
from  Core  Security  Technologies. 

“These  tools  are  still  no  substitute  for 
using  traditional  pen-test  tools,”  says 
Phatak.  “These  can  indicate  how  good  or  bad 
your  IPS  is  doing,  but  they’re  not  a  going  to 
give  you  a  good,  deterministic  answer  about 
whether  someone  can  break  in  or  not. 

“You  can  get  a  false  sense  of  vulnerabil¬ 
ity  or  a  false  sense  of  security  if  you  don’t 
understand  that.”  ■ 


Neil  Roiter  is  a  freelance  writer.  Send  feedback 
to  Editor  Derek  Slater  at  dslater@cxo.com. 
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By  taking  a  balanced  approach  to  information 
security  and  keeping  the  organization’s  mission 
in  mind,  you  can  create  agility  and  value 

BY  JAMIL  FARSHCHI  AND  AHMAD  DOUGLAS 


NFORMATION  SECURITY  HAS 
long  been  seen  as  at  odds  with 
business  agility  and  productivity. 
Whether  it  uses  electronic  or  physi¬ 
cal  controls,  security  often  gets  a  bad 
reputation  for  being  a  burdensome  bolt-on 
required  for  either  regulatory  compliance 
or  nebulous  what- if  scenarios. 

Value-Negative 
Information  Security 

FOR  SOME  ORGANIZATIONS,  the 
what-if  threat  is  less  nebulous.  Take,  for 
example,  Google.  Between  its  January  13 
threat  to  cease  operations  in  China  and 
early  April,  the  search  giant  lost  almost 
$7.5  billion  in  market  value.  Both  the  NAS¬ 
DAQ  and  S&P  500  composites  rose  about 
5  percent  over  the  same  period,  and  our 
research  has  turned  up  no  other  signifi¬ 


cant  negative  events  for  Google  during  this 
time,  which  suggests  that  this  escalating 
disagreement  led  to  their  capital  loss. 

This  case  and  numerous  others  show 
that  poor  information  security  can  destroy 
value,  in  terms  of  both  lost  shareholder 
confidence  and  future  growth.  And  as  the 
TJX  learned  from  a  well -publicized  2005 
breach,  poor  information  security  can  also 
result  in  costly  legal  repercussions. 

Defining  the  Existential 

BUT  CAN  AN  excellent  information  secu¬ 
rity  program  create  value?  Perhaps  the 
first  step  to  implementing  a  successful 
plan  is  defining  success.  Many  organiza¬ 
tions,  especially  those  harshly  constrained 
by  regulatory  compliance  and  public 
scrutiny,  define  success  as  the  absence  of 
a  significant,  widely  publicized  event.  Los 
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Alamos  National  Laboratory 
was  in  the  same  situation:  Our 
security  program  was  deemed 
a  success  as  long  as  it  kept 
incidents  to  a  minimum  and 
those  that  did  occur  were  of  low 
enough  severity  to  satisfy  our 
regulating  authority. 

The  false  sense  of  security 
created  by  regulatory  compli¬ 
ance  can  be  dangerous,  however. 
Los  Alamos,  as  with  many  pub¬ 
lic  and  private  organizations, 
fell  into  this  trap.  It’s  easy  to 
fall  into  a  check-the-box  mind¬ 
set,  thinking  that  if  all  the  regu¬ 
latory  requirements  have  been 
met,  the  organization’s  critical 
data  and  assets  are  secure.  It 
only  takes  one  painful,  public 
breach  to  realize  that  this  way 
of  thinking  is  flawed. 

After  each  information 
security  event,  we  asked  our¬ 
selves,  “If  we  were  compliant, 
then  how  did  we  fail  to  protect 
our  sensitive  information  and 
technology  assets?”  Over  time 
it  became  clear  that  we  failed 
because  our  security  controls 
were  decoupled  from  the  mis¬ 
sion  of  our  organization.  By 
focusing  on  regulatory  compli¬ 
ance  and  ignoring  the  needs 
of  our  core  workforce— R&D 
scientists,  experimentalists, 
engineers  and  machinists— we 
forced  them  to  use  their  com¬ 
puters  in  an  unintuitive  way, 
which  caused  them  to  make 
more  errors. 

As  an  excellent  paper  from 
Microsoft  Research  notes,  this 
behavior  is  common,  and  is  in 
fact  completely  rational  from 
an  economic  standpoint.  Unfor¬ 
tunately,  information  security 
professionals  often  deal  with 
it  in  entirely  the  wrong  way— 
with  still  more  reactionary, 
bolt-on  compliance  measures, 
rather  than  by  taking  a  holistic, 
strategic  view  of  the  problem. 

In  contrast,  our  current 
security  program  strives  to 
blend  compliance  with  ease  of 


use  to  foster  both  information 
security  and  user  productivity. 
Simply  put:  we  want  it  to  be 
easy  for  our  employees  do  the 
right  thing. 

If  our  ultimate  goal  is  to  cre¬ 
ate  value  through  an  excellent 
information  security  program, 
then  how  do  we  define  those 
terms?  The  answer  necessarily 
depends  on  your  security  para¬ 
digm  and  your  business  model. 
For  example,  at  Los  Alamos, 
our  shareholders  are  the  U.S. 
taxpayers,  who  demand  fiscal 
prudence  and  return  on  their 
investment  of  trust.  Our  cus¬ 
tomers  are  other  government 
agencies  that  rely  on  the  world- 
class  products  of  our  science 
and  technology  capabilities. 
And  our  stakeholders  include 
state,  local  and  tribal  govern¬ 
ments;  the  residents  of  New 
Mexico;  and  our  workforce. 
Each  of  these  groups  has  its 
own  set  of  requirements,  and 
an  information  security  breach 
has  the  potential  to  negatively 
affect  each  in  a  different  way. 
They  must  all  be  taken  into 
account  when  developing  our 
definition  of  success. 


How  would  you  define  suc¬ 
cess  in  information  security? 
How  do  you  develop  a  program 
focused  on  value  creation?  At 
Los  Alamos,  we  worked  directly 
with  our  customers  to  define 
success  as  enhancing  our  com¬ 
petitive  position  by  (a)  reducing 
security  and  compliance  costs 
by  improving  operational  effi¬ 
ciency;  (b)  reducing  the  number 
and  impact  of  security  events; 
and  (c)  gaining  competitive 
advantage  by  facilitating  the 
acquisition  of  new  business 
by  enhancing  our  reputation, 
bolstering  our  workforce’s  pro¬ 
ductivity  and  establishing  col¬ 
laborative  partnerships. 

Turning  Vision 
Into  Action 

DEVELOPING  YOUR  VISION 
of  success  for  enterprise  infor¬ 
mation  security  is  only  the  first 
step.  Equally  important  are  the 
abilities  to  translate  your  vision 
into  strategic  direction,  develop 
tactical  objectives  that  move 
you  toward  your  goals,  and 
establish  a  quantitative  dash¬ 
board  for  evaluating  your  prog¬ 
ress.  To  this  end,  Los  Alamos 


focuses  on  closely  on  enabling 
its  mission  and  on  strategic 
execution. 

STEP  1.  Developing  your 
vision.  What  is  your  core  busi¬ 
ness  model?  To  what  degree  are 
your  activities  dictated  by  statu¬ 
tory  compliance  or  legal  liabil¬ 
ity?  Almost  all  organizations 
have  similar  concerns  about 
gaining  competitive  advantage, 
such  as  how  the  company  can 
position  itself  as  a  sector  leader, 
provide  innovative  solutions, 
and  promote  an  image  of  trust¬ 
worthiness,  competence  and 
timely  delivery.  Los  Alamos, 
for  example,  relies  primarily  on 
the  U.S.  nuclear  weapons  com¬ 
plex  for  funding.  Our  activities 
are  heavily  constrained  by  law 
and  carry  significant  liabilities. 
In  order  to  meet  our  obligations 
to  the  nation  and  our  customer 
base,  we  must  demonstrate  that 
we  can  safeguard  the  national 
security  information  entrusted 
to  us  while  enabling  the  deliv¬ 
ery  of  cutting-edge  scientific 
research  and  innovation. 

STEP  2.  Create  a  strategy 
map.  An  element  of  the  bal¬ 
anced  scorecard  methodology, 


Sample  Balanced  Scorecard  for  Information  Security 
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Developingyour  vision  of 
success  for  enterprise 
information  security 
is  only  the  first  step. 


the  strategy  map  is  a  visual  tool 
that  clearly  assesses  strategic 
vision  from  four  perspectives: 
learning  and  growth;  finan¬ 
cial;  customer;  and  internal 
processes.  Unlike  the  reac¬ 
tionary,  bolt-on  approach  of 
many  information  security 
operations,  the  strategy  map 
encourages  a  holistic  view  of 
the  people  and  processes  that 
underlie  sustainable  success. 
In  our  strategy  map,  we  defined 
overarching  themes  to  focus  on 
and  broke  those  themes  down 
into  components  with  defined 
objectives  that  promote  long¬ 
term  growth  in  each  of  the 
perspectives.  For  example,  we 
defined  operational  excellence 
as  a  theme  from  the  internal 
processes  perspective,  and 
one  strategic  objective  is  to 
improve  our  compliance  pro¬ 
cesses.  When  taken  together, 
the  components  drive  the  suc¬ 
cess  of  the  theme,  which  keeps 
the  perspective  on  track.  When 
all  four  perspectives  are  prop¬ 
erly  scoped  and  progressing  as 
they  should,  your  organization 
is  making  great  strides  toward 
fulfilling  its  strategic  vision. 

STEP  3.  Define  initiatives. 
Initiatives  are  funded,  tactical 
activities  that  support  delivery 
of  a  strategic  objective.  It’s  criti¬ 
cal  to  maintain  a  strong  knowl¬ 
edge  of  the  initiatives  currently 
under  way  in  your  organization. 
When  that  knowledge  is  com¬ 
bined  with  your  strategy  map 
and  targeted  customer  feed¬ 
back,  it’s  easy  to  identify  gaps 
in  organizational  structure 
and  funding  that  are  hindering 
fulfillment  of  your  vision.  Con¬ 
versely,  when  your  organiza¬ 
tion’s  initiatives  are  well  aligned 
with  its  strategy  map,  deliver¬ 
ing  on  your  vision  for  informa¬ 
tion  security  comes  naturally. 
The  model’s  self-sustaining 
nature  is  obvious  when  exam¬ 
ining  the  interplay  between  the 
overarching  strategy,  themes, 


objectives  and  initiatives.  For 
example,  when  initiatives  do 
not  map  to  the  defined  objec¬ 
tives,  they  are  easily  flagged 
as  misaligned  with  the  over¬ 
arching  strategy  and  can  be 
re-prioritized  or  abandoned 
altogether.  Likewise,  if  certain 
initiatives  seem  necessary  to 
successful  strategy  execution 
but  do  not  fit  in  the  established 
strategy  map,  it  is  important  to 
review  and  realign  the  strategy 
to  ensure  that  key  components 
are  not  missing. 

The  Information 
Security  Value 
Sphere 

NOW  YOU  HAVE  a  set  of  prop¬ 
erly  aligned,  adequately  funded, 
value-creating  initiatives  to  act 
on.  Here,  the  information  secu¬ 
rity  value  sphere  provides  the 
perfect  lens  through  which  to 
view  your  unfolding  initiatives. 
Its  goal:  to  ensure  thought¬ 
ful,  sustainable,  value-focused 
implementation  of  information 
security  objectives. 

Two  key  aspects  of  a 
successful  delivery: 

1.  ESTABLISHING  A  COMPETITIVE 
ADVANTAGE 

2.  IMPROVING  OPERATIONAL 
EFFICIENCY 

If  your  organization  can  differ¬ 
entiate  itself  from  the  field  by 
delivering  its  information  secu¬ 
rity  objectives,  it  has  gained  a 
competitive  advantage.  Simi¬ 
larly,  outstanding  operational 
efficiency  lets  you  outpace 
your  competitors  by  deliver¬ 


ing  cheaper  and  more  effective 
solutions. 

The  four  most  impor¬ 
tant  considerations 
in  the  pursuit  of 
competitive  advan¬ 
tage  and  opera¬ 
tional  efficiency: 

1.  SOLUTIONS 

2.  RELATIONSHIP  MANAGEMENT 

3.  DECISION  SUPPORT 

4.  PERFORMANCE  MANAGEMENT 

By  taking  each  value  func¬ 
tion  into  consideration  when 
planning,  implementing  and 
executing  tactical  initiatives, 
you  will  impart  competitive 
advantage  and  operational  effi¬ 
ciency  to  the  delivery  of  those 
initiatives. 

The  Balanced 
Scorecard 

APPLYING  THE  BALANCED 
scorecard  to  information  secu¬ 
rity  operations  at  Los  Alamos  is 
one  of  the  most  promising  new 
developments  in  our  manage¬ 
ment  program.  The  scorecard  is 
primarily  a  holistic  dashboard 
for  evaluating  mission  delivery. 
When  its  measures  are  tied  to 
the  objectives  and  initiatives  of 
the  strategy,  the  scorecard  pro¬ 
vides  excellent  insight  into  the 
leading  and  lagging  indicators 
of  successful  strategy  execution, 
allowing  management  to  fore¬ 
see  problems  or  quickly  identify 
them  as  they  arise.  A  notable 
bonus  of  tracking  your  infor¬ 
mation  security  program  with 
the  balanced  scorecard  is  that 
it’s  self-correcting.  If  several 


of  your  initiatives  are  marked 
in  yellow,  meaning  they’re  in 
danger,  or  red,  which  means 
they’re  unsalvageable,  but  your 
organization  is  delivering  on  its 
mission,  it’s  a  prompt  to  recon¬ 
sider  the  importance  of  those 
initiatives.  If  your  dashboard 
is  green  but  your  organiza¬ 
tion  is  not  delivering,  then  you 
know  your  initiatives  are  poorly 
aligned  with  your  organiza¬ 
tion’s  mission. 

Conclusion 

THE  QUALITY  OF  your  infor¬ 
mation  security  operations  can 
directly  affect  the  success  of 
your  organization,  for  better 
or  worse.  Viewing  information 
security  as  a  cumbersome  com¬ 
pliance  exercise  diminishes  its 
usefulness  to  the  business,  and 
the  false  sense  of  security  that 
comes  with  shallow  compliance 
may  be  destructive.  Implement¬ 
ing  a  holistic  information  secu¬ 
rity  program  that  focuses  on 
the  customer  while  emphasiz¬ 
ing  competitive  advantage  and 
operational  efficiency  can  actu¬ 
ally  create  value  and  drive  suc¬ 
cess.  Los  Alamos’s  approach, 
which  combines  the  balanced 
scorecard  with  the  novel  infor¬ 
mation  security  value  sphere,  is 
one  path  to  achieving  informa¬ 
tion  security  excellence.  ■ 


Jamil  Farshchi  is  chief  informa¬ 
tion  security  officer  and  Ahmad 
Douglas  is  senior  cyber  security 
leader  at  Los  Alamos  National 
Laboratory. 
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HOW  SECURITY 
SHOULD  HANDLE 


ther  than  a  strike  and  picket  action  by  a 
group  of  employees  against  an  employer 
to  gain  some  wage  increase  or  to  gain  or 
retain  some  benefit,  we  must  consider  that 
other  demonstrations  may  take  place  that 
could  affect  a  business  enterprise. 

Groups  or  crowds  that  may  assemble  to 
demonstrate  or  to  picket  a  company  because  of 
some  business  practice  that  they  feel  offends  them  or  oth¬ 
ers  should  be  handled  in  the  same  way  as  a  strike  incident. 
An  example  of  such  activity  could  include  issues  such  as 
offensive  hiring  practices,  sexual  or  age  discrimination  or 
harassment  practices,  animal  rights  (retail  stores  that  sell 
furs  or  animal  products),  or  conduct  considered  abhorrent 
to  certain  religious  groups  (e.g.,  abortion  clinics).  If  man¬ 
agement  cannot  resolve  the  situation,  the  police  should  be 
requested.  If  the  occurrence  causes  a  business  disruption  or 


Anthony  Manley’s  book 
Security  Manager’s  Guide  to 
Disasters  covers  everything 
from  workplace  violence  to 
earthquakes.  The  practical  tips  in  this 
excerpt  address  workers’  right  to  picket 
and  what  security  can  do  to  help  keep 
such  situations  orderly  and  appropriate 
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if  their  presence  is  illegal,  picketers  can  be 
removed.  Caution  and  discretion  in  tactics 
must  be  considered  if  the  company  hopes  to 
avoid  bad  press  and  publicity. 

Under  various  federal  laws  and  sanc¬ 
tions,  when  a  labor  violation  does  in  fact 
occur,  a  business  may  seek  monetary  dam¬ 
ages,  criminal  sanctions,  injunctive  relief 
(judgment  of  unfair  labor  practices),  and 
disciplinary  actions  against  individuals  or 
the  union  as  a  group. 

However,  concerning  a  demonstration 
other  than  a  labor  issue,  a  citizen  has  the 
right  to  peaceful  assembly  under  the  First 
Amendment  of  the  U.S.  Constitution.  This 
amendment  protects  the  right  to  picket,  no 
matter  whether  the  purpose  is  a  labor  dis¬ 
pute,  civil  rights,  or  other  demonstrations. 
Generally,  picketing  is  protected  when  it 
is  for  a  lawful  purpose,  conducted  in  an 
orderly  manner,  and  publicizes  a  grievance 
of  some  kind. 

The  following  are  the  generally  accepted 
rules  that  control  and  regulate  walkouts 
and  strike  actions  throughout  the  country. 

The  Right  to  Picket 

l.  Pickets  (strikers)  have  the  right  to  picket, 
demonstrate,  and  hold  meetings  as  long  as 
such  activity  does  not  violate  local,  state,  or 
federal  law. 

2.  Pickets  need  not  be  employees  of  the 
company.  They  may  be  other  union  mem¬ 
bers  acting  in  sympathy  with  the  striking 
union,  or  friends  and  family  members  of 
the  strikers.  However,  they  are  subject  to 
the  same  restrictions  and  laws  governing 
the  striking  union  members. 

3.  Pickets  have  the  right  to  picket  as 
long  as  it  does  not  cause  a  disruption  of  any 
of  the  functions  or  objectives  of  the  busi¬ 
ness;  they  may  not  interfere  with  business 
operations. 

4.  Picketing  is  legal  as  long  as  it  does  not 
limit  or  deny  access  of  employees,  custom¬ 
ers,  visitors,  vehicles,  deliveries,  etc.,  to  the 
business  and  any  of  its  components.  Block¬ 
ing  anyone  or  any  vehicle  from  entering  or 
leaving  the  business  property,  physically  or 
by  threatening  behavior,  is  illegal.  Strikers 
causing  damage  to  any  vehicle  crossing  the 
picket  line  while  attempting  to  enter  the 
property  of  the  facility  commit  the  crime 
of  criminal  mischief,  reckless  or  criminal 
damage  to  property,  or  criminal  tampering 
with  intent  to  cause  damage  or  substantial 


inconvenience.  In  addition,  strikers  caus¬ 
ing  harm  to  other  employees  or  persons 
wishing  to  enter  the  striking  premises  may 
commit  the  crime  of  assault.  If  an  imple¬ 
ment  is  used  and  causes  damage  or  injury, 
the  criminal  charge  will  be  elevated  to  a 
higher  degree.  Check  the  local  or  state  laws 
that  apply  to  your  employer  for  the  correct 
statute  warranted. 

5.  Pickets  may  act  as  individuals,  but 
not  in  the  name  of  the  employer  or  any  of  its 
component  parts. 

6.  Handout  literature  may  be  given 
out  by  pickets  to  passersby,  but  cannot  be 
forced  upon  them. 

7.  Any  picketing  activity  must  be  peace¬ 
ful.  Pickets  may  not  jeopardize  safety  or  the 
preservation  of  order. 

8.  Pickets  cannot  apply  secondary  pres¬ 
sure  or  boycotts  against  neutral  or  second¬ 
ary  employers  or  businesses. 

9.  The  police  have  the  authority  to 
impose  conditions  and  the  number  of  pick¬ 
ets  where  they  believe  large  groups  of  peo¬ 
ple  are  likely  to  cause  disruptive  or  criminal 
acts. 

Accepted  Business  Practices 
for  Handling  Picketing  Events 
What  a  Business  Should  Do.  The 

administrators  and/or  management  of  a 
business  enterprise  may  wish  to  engage  in 
all  or  some  of  the  following  actions: 

1.  Upon  determining  that  there  will  be 
some  type  of  picketing  movement  against 
the  company  for  any  reason,  company  man¬ 
agement  should  notify  the  local  police  pre¬ 
cinct.  The  police  will  determine  whether 
permits  are  required  for  assembly  and/ 
or  picketing,  control  the  size  of  the  picket 
action,  and  regulate  their  conduct  accord¬ 
ing  to  law. 

2.  Where  picketing  may  be  spontaneous 
or  lack  direction  or  organization,  manage¬ 
ment  may  wish  to  inquire  of  the  demonstra¬ 
tors  or  pickets  the  reason  or  issues  for  such 
activity  against  the  company.  If  the  activity 
cannot  be  resolved,  the  police  should  be 
called  upon  to  examine,  control,  or  disperse 
the  group. 

3.  Depending  on  the  number  of  pickets 
and  their  demeanor,  police  officers  may  or 
may  not  be  permanently  assigned  to  the 
demonstration.  If  the  picketing  is  of  a  minor 
nature,  the  regular  radio  motor  patrol  car  on 
post  will  give  intensive  patrol  to  the  scene. 


Company  security  personnel  should  moni¬ 
tor  the  demonstration  closely  and  request 
police  assistance  as  may  be  required. 

If  the  picket  line  is  large  or  must  be 
closely  supervised,  police  officers  will  be 
assigned  to  fixed  posts  at  the  picketing 
location. 

4.  Corporate  management  or  security 
agents  (this  would  include  private  investi¬ 
gators  and  security  officers)  may  videotape 
any  picketing  action  for  the  purpose  of 
identifying  any  violent  or  unlawful  act  by 
individuals  or  groups  (strike  leaders,  orga¬ 
nizers,  or  strikers).  Videotaping  for  any 
other  reason  cannot  be  justified  and  may  be 
illegal.  Check  with  local  civil  authorities. 

5.  Corporate  management  or  agents  may 
use  undercover  operatives  or  employee  loy¬ 
alists  for  the  purpose  of  advising  the  busi¬ 
ness  owner  of  any  criminal  acts  that  have 
occurred,  that  may  occur,  or  any  actions 
that  might  affect  the  business  enterprise. 

6.  Corporate  management  may  wish  to 
proclaim  a  trespass  advisement.  Once  the 
pickets  or  the  organizer  of  the  picketing 
action  are  advised  and  notified  by  business 
management  that  the  picketing  group,  act¬ 
ing  individually  or  in  concert,  is  not  to  enter 
upon  the  property  of  the  business  for  any 
reason,  such  intruder  may  be  arrested  for 
trespassing  by  company  security  personnel 
and  turned  over  to  the  police  for  adjudica¬ 
tion.  Proper  notification  and  documenta¬ 
tion  of  the  trespassing  warning  should  be 
compiled  for  future  reference  and/or  court 
action. 

7.  Management  should  advise  company 
personnel  who  are  not  involved  in  the  pro¬ 
test  to  avoid  openly  commiserating,  inter¬ 
fering,  agitating,  or  in  any  way  becoming 
involved  with  demonstrators  or  pickets. 

8.  Company  security  personnel  must  be 
made  aware  of  the  precautions  and  actions 
noted  herein;  specifically,  they  must  be 
able  to  distinguish  between  those  actions 
they  must  avoid  and  those  they  may  react 
to  within  the  law  and  the  parameters  the 
company  may  authorize. 

9.  Most  importantly,  consider  that 
whatever  the  size  and  reason  for  the  picket¬ 
ing  action,  the  media  will  surely  be  advised, 
and  may  respond  to  observe  the  strike  and 
the  participants.  Company  management 
should  be  ready  to  respond  to  any  question¬ 
ing  by  the  media.  This  will  include  a  pre¬ 
pared  statement  ready  for  distribution. 
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Picketing  is  legal  as  long  as  it  does 
not  limit  or  deny  access  of 

employees,  customers,  visitors,  vehicles, 
deliveries,  etc.,  to  the  business  and  any  of 
its  components. 


What  a  Business  Can  Do.  Regarding 
any  violation  by  the  pickets  or  the  organiz¬ 
ers  of  the  picketing  action  that  affects  the 
business  operation,  causes  adverse  public¬ 
ity,  or  has  an  effect  on  the  goodwill  of  the 
corporation,  management  may  seek  an 
injunction  in  court  requiring  picketers  to 
cease  and  desist.  Videotapes  and  personal 
observations  reduced  to  sworn  statements 
may  be  required  to  bolster  the  initiation  of 
any  criminal  or  civil  litigation. 

1.  Picketing  may  be  limited  to  one  site 
(e.g.,  the  main  entrance  to  the  business). 

2.  Pickets  do  not  have  the  right  to  picket 
on  the  business  property.  They  should  be 
removed  to  public  property  or  public  right- 
of-way  (sidewalk,  curb,  street). 

3.  Physical  obstruction,  creation  of  a 
blockade,  or  interference  with  another 
person’s  rights  is  unlawful,  whatever  the 
protest. 

4.  Pickets  may  not  block  access  to  the 
business  facility,  its  parking  fields,  or  its 
property.  They  may  not  obstruct  a  side¬ 
walk,  driveway,  parking  field,  or  any  right- 
of-way  from  use  by  anyone  who  desires  to 
drive,  walk,  or  in  any  way  enter  the  busi¬ 
ness  picketed. 

5.  If  the  number  of  people  on  the  picket 
line  appears  to  be  excessive  (mass  picket¬ 


ing),  and  intimidating  to  people  attempting 
to  cross  the  line  to  work,  deliver  goods,  or 
conduct  business  in  any  way,  such  action 
may  not  be  considered  as  an  attempt  at 
peaceful  persuasion,  but  may  be  considered 
a  breach  of  the  peace. 

6.  Picketers’  autos  in  the  company  park¬ 
ing  lot  or  field  may  be  towed  off  premises. 
The  business  may  reserve  the  right  to  park 
vehicles  to  employees,  customers,  visitors, 
and  other  persons  who  wish  to  conduct 
legitimate  business. 

7.  Pickets  may  not  demonstrate  within 
a  private  business  facility.  This  includes 
parking  fields  and  areas  owned  or  leased 
by  the  company. 

8.  Pickets  may  not  picket  on  an  adjacent 
business  property  without  the  permission 
of  that  business  or  landowner. 

9.  Pickets  may  not  cause  a  disturbance 
or  commit  a  disorderly  act,  individually 
or  in  concert.  This  includes  loud  and  abu¬ 
sive  language,  obscene  or  foul  language, 
offensive  gestures,  threats,  and  shoving, 
pushing,  or  fighting  among  themselves  or 
others. 

10.  Any  malicious  damage  to  vehicles 
or  to  personal  or  corporate  property  upon 
entering  or  leaving  or  while  on  the  business 
property  must  be  addressed  immediately 


with  corporate  and  police  response  against 
the  violators. 

11.  Trash  bins  or  baskets  may  be  located 
at  staff  entrances  or  public  entrances  for 
the  purpose  of  discarding  or  disposing  of 
handbills  or  handout  material  from  the 
demonstrators  to  employees,  passersby,  or 
visitors.  Disposal  must  be  voluntary  by  the 
individual. 

12.  Company  personnel  may  remove 
any  unauthorized  postings  or  signage  con¬ 
cerning  the  demonstration  in  question  that 
are  in  or  on  the  business  property. 

What  a  Business  Cannot  Do.  An 

owner,  administrator,  or  manager  of  a  busi¬ 
ness,  including  its  agents  and  employees,  is 
restrained  from  certain  conduct  that  may 
arise  or  take  place  regarding  union  activi¬ 
ties  and  strikes. 

1.  An  employer  cannot  (a)  threaten  or 
coerce  an  employee  from  engaging  in  union 
activities  or  (b)  threaten  to  close  the  facility 
if  a  union  comes  in. 

2.  An  employer  cannot  deny  an  employee 
the  right  to  vote  for  union  representation. 

3.  An  employer  cannot  spy  on  union 
activities.  This  includes  company  infor¬ 
mants  paid  for  such  actions  or  outside  con¬ 
tractual  agents  (private  investigators). 

4.  An  employer  cannot  ask  an  employee 
about  his  or  her  union  activities  or 
attitudes. 

5.  An  employer  cannot  fire,  transfer,  or 
demote  in  retaliation  for  union  activities. 

6.  The  corporate  management  and  its 
agents  may  not  interfere  in  any  way  with 
the  picketing  action,  other  than  by  lawful 
means  (seeking  a  court  order)  or  enter¬ 
ing  into  some  communication,  interac¬ 
tion,  and  agreement  in  an  effort  to  end  the 
demonstration. 

Conclusion 

People  have  a  right  to  protest,  but  such  right 
is  not  unlimited.  If  union  members  wish  to 
picket,  the  picketing  must  be  lawful.  In  an 
effort  to  control  any  action  that  may  get 
out  of  hand,  the  police  or  local  governing 
authority  may  set  reasonable  restrictions, 
including  the  time,  place,  and  size  of  the 
picketing  group.  ■ 


Excerpted  by  permission  from  Security 
Manager’s  Guide  to  Disasters,  CRC  Press, 
2009.  www.crcpress.com 
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[  INDUSTRY  VIEW] 

By  Jim  Hurley,  Symantec 


Want  to  Reduce  IT  Risk? 
Hire  a  CISO 


As  cybercriminals  become 
more  proficient  and  data 
breaches  continue  to  make 
headlines,  company  deci¬ 
sion  makers  are  trying  to 
focus  more  closely  on  securing  sensitive 
information.  And  as  more  organizations  pri¬ 
oritize  security  investments,  new  research 
sheds  light  on  the  major  factors  that  lead 
to  better  business  outcomes  related  to  IT 
security.  That  research  shows  that  having 
a  chief  information  security  officer  plays  a 
big  role  in  determining  whether  a  company 
will  succeed  in  IT  security. 

Of  course,  hiring  a  CISO  doesn’t  auto¬ 
matically  guarantee  better  results.  Merely 
being  able  to  tick  a  box  labeled  “Yes,  we 
have  a  CISO”  on  a  checklist  of  requirements 


for  passing  a  critical  audit  is  not  enough  to 
curb  the  impact  of  IT  failures  on  business 
operations,  reduce  the  risk  of  theft  or  loss 
of  sensitive  information,  and  improve  busi¬ 
ness  results.  By  hiring  the  right  people  and 
aligning  organizational  procedures  and 
policies,  the  best-performing  organizations 
drive  down  costs  and  risks  while  improv¬ 
ing  business  results.  More  companies  with 
the  best  outcomes  use  CISOs  to  manage 
information  security. 

The  Rise  of  the  CISO 

Despite  facing  one  of  the  worst  economic 
downturns  in  recent  history,  companies 
continue  to  place  a  high  priority  on  infor¬ 
mation  security.  More  organizations  than 
ever  have  CISOs— 44  percent  of  compa¬ 


nies  employed  a  CISO  in  2009  compared 
to  29  percent  in  2008,  according  to  the 
2010  Global  Information  Security  Survey 
conducted  by  CSO,  CIO  and  PriceWater- 
houseCoopers.  This  contrasts  dramatically 
with  a  decade  ago,  when  most  security  tasks 
would  be  handled  by  an  organization’s 
operations  group. 

As  stories  of  data  breaches  continue 
to  make  headlines,  more  and  more  orga¬ 
nizations  have  come  to  understand  how 
important  it  is  to  mitigate  security  risks.  A 
growing  emphasis  on  security  has  changed 
not  only  the  role  of  the  CISO,  but  also  how 
the  CISO  is  viewed  by  the  organization’s 
corporate  decision  makers.  Whereas  yes¬ 
terday’s  CISOs  were  in  charge  of  day-to-day 
security  operations,  today’s  are  strategists 
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Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
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and  partners  in  the  development  of  a  com¬ 
pany’s  growth  plans. 

Companies  With  CISOs 
Are  More  Successful 

As  the  trend  toward  hiring  CISOs  grows, 
the  benefits  of  doing  so  have  become  more 
apparent.  Companies  with  a  CISO  actually 
have  better  outcomes  than  those  without 
one,  new  research  from  the  IT  Policy  Com¬ 
pliance  Group  found.  In  fact,  of  the  com¬ 
panies  with  the  best  outcomes,  78  percent 
have  CISOs,  while  only  22  percent  do  not. 

The  IT  Policy  Compliance  Group  found 
that  companies  that  enjoy  the  best  outcomes 
manage  information  security  through  a 
CISO  who  reports  to  a  chief  risk  officer,  a 
chief  compliance  officer,  the  senior  leader 
of  IT  assurance  or  the  CIO.  Those  organiza¬ 
tions  focus  on  operational  excellence  in  IT 
by  implementing  standardized  procedures 
and  controls  based  on  best-practice  frame¬ 
works  (e.g.  ISO,  CobiT  or  PCI),  automating 
those  procedures  and  controls,  and  regu¬ 
larly  measuring,  assessing  and  reporting 


zations  with  CISOs  manage  business  pro¬ 
ductivity  and  risks  by  creating  policies  and 
targets  for  minimum  acceptable  downtime 
and  maximum  acceptable  risks.  They  also 
measure,  assess  and  report  on  risks  daily, 
weekly  and  monthly.  Organizations  with 
the  worst  business  outcomes  do  not  have 
such  policies  and  targets,  and  report  no 
more  than  every  five  months. 

CISOs  Reduce  Costs 

Along  with  reductions  in  risk,  the  most 
successful  companies  with  a  named  CISO 
experience  less  financial  exposure  from 
data  loss  and  theft. 

Of  the  organizations  with  the  best  out¬ 
comes  studied  by  the  IT  Policy  Compliance 
Group,  one  in  10  spends  0.4  percent  of  rev¬ 
enue  on  data  loss  exposure,  whereas  com¬ 
panies  with  the  worst  outcomes  spend  9.6 
percent  of  revenue  on  costs  related  to  data 
loss. 

Other  studies  reveal  similar  findings. 
Companies  that  experienced  a  data  breach 
last  year  but  had  a  CISO  in  place  to  manage 


spent  on  audits  by  the  best-performing  orga¬ 
nizations  is  $1.30  for  each  dollar  spent  on 
information  security  and  assurance— that’s 
$2.40  less  in  audit  expenses  for  each  dollar 
spent  on  information  security. 

CISOs  Highlight  the  Need  for 
More  Than  Just  Technology 

CISOs  reduce  risk  and  costs,  but  they  also 
highlight  the  importance  of  viewing  secu¬ 
rity  as  part  of  the  business  process,  rather 
than  just  an  IT  problem. 

For  organizations  plagued  with  the 
highest  rates  of  data  loss  and  theft,  a  com¬ 
mon  management  attitude  toward  informa¬ 
tion  security  is  that  it’s  only  a  technology 
issue.  Those  organizations  leave  security  to 
be  managed  by  IT  operations  without  the 
proper  oversight  and  control,  the  IT  Policy 
Compliance  Group  found. 

Companies  that  have  the  best  business 
outcomes  are  managing  information  secu¬ 
rity  at  a  higher  level  as  a  quality-controlled 
function  that  goes  beyond  the  technologies 
involved.  Automation  of  policies,  proce- 


Organizations  where  the  security  function  is  managed  at  lower  levels 
within  IT  operations  are  four  to  eight  times  more  likely  to  be 

among  those  with  the  highest  rates  of  data  loss  and  theft. 


on  risk.  The  net  results  include  reductions 
in  spending  on  audits,  reduced  data  theft 
and  higher  customer  retention  rates.  Those 
organizations  also  have  higher  profits  and 
revenues  and  higher  levels  of  business  pro¬ 
ductivity  from  IT. 

CISOs  Reduce  Risk 

A  CISO  can  help  a  company  be  more  suc¬ 
cessful,  but  it  is  important  to  note  that  the 
most  successful  companies  are  those  with 
a  named  CISO,  not  just  a  manager  who 
performs  a  CISO’s  duties.  Companies  with 
a  named  CISO  are  10  times  more  likely  to 
experience  the  least  loss  or  theft  of  cus¬ 
tomer  data,  the  IT  Policy  Compliance 
Group  found. 

In  contrast,  organizations  where  the 
security  function  is  managed  at  lower  lev¬ 
els  within  IT  operations  are  four  to  eight 
times  more  likely  to  be  among  those  with 
the  highest  rates  of  data  loss  and  theft. 

In  addition,  the  best-performing  organi- 


the  incident  experienced  an  average  cost  of 
$157  per  compromised  record,  versus  $236 
for  companies  without  CISO  leadership, 
according  to  the  Ponemon  Institute’s  2009 
Cost  of  a  Data  Breach  study.  This  means 
companies  that  experienced  a  data  breach 
but  did  not  have  CISOs  spent  50  percent 
more  than  companies  with  CISOs. 

The  Ponemon  Institute  notes  that  this 
outcome  is  likely  due  to  “the  strategic 
role  CISOs  play  in  ensuring  [that]  secu¬ 
rity  and  privacy  measures  are  effectively 
implemented.” 

In  addition  to  lowering  costs  in  the 
event  of  a  data  breach,  the  most  successful 
companies  with  CISOs  also  spend  50  per¬ 
cent  less  on  regulatory  compliance,  the  IT 
Policy  Compliance  Group  found. 

The  average  amount  spent  on  audits  by 
organizations  with  normal  outcomes  is  $3.70 
for  every  dollar  spent  on  information  secu¬ 
rity  and  assurance,  according  to  the  IT  Policy 
Compliance  Group.  In  contrast,  the  amount 


dures  and  controls  is  an  important  part  of 
the  equation  for  the  companies  with  the 
best  outcomes. 

Among  the  organizations  with  the  best 
outcomes,  an  average  of  two-thirds  of  the 
procedures  and  controls  related  to  the 
information  security  and  assurance  func¬ 
tion  are  fully  automated,  according  to  the 
IT  Policy  and  Compliance  Group.  Contrast 
this  with  the  worst-performing  organiza¬ 
tions,  which  automate  less  than  one-third 
of  procedures  and  technical  controls. 

Simply  put,  CISOs  contribute  to  better 
business  results  by  making  sure  security 
measures  are  fully  implemented,  standard¬ 
izing  and  automating  procedures,  and  play¬ 
ing  a  strategic  role  within  the  organization 
to  ensure  that  information  security  is  part 
of  the  business  process.  ■ 


Jim  Hurley  is  a  senior  research  manager  and 
the  managing  director  of  the  IT  Policy  Compli¬ 
ance  Group  at  Symantec. 
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[  debriefing] 


Crowded  Houses 


1.  How  many  South  African 
cities  are  hosting  World 
Cup  games  this  year? 

a)  5  b)  10  c)  15  d)  20 

2.  What  is  the  approximate 
seating  capacity  of  the  largest 
South  African  soccer  venue? 

a)  19,000  C)  40,000 

b)  30,000  d)  90,000 

3.  How  many  police  officers  (as 
opposed  to  security  guards) 
has  the  country  deployed 

for  World  Cup  security? 

a)  19,000  c)  40,000 

b)  30,000  d)  90,000 

4.  which  stadium  has  the 
largest  seating  capacity? 

a)  Soccer  City  in  Johannesburg 

b)  The  Meadowlands  in  New  Jersey 

c)  The  Bird’s  Nest  in  Beijing 

d)  Beaver  Stadium,  University  Park, 
Pennsylvania 

5.  What  is  the  approximate 
seating  capacity  of  the 
Los  Angeles  Lakers’  home 
court,  the  Staples  Center  ? 

a)  19,000  C)  40,000 

b)  30,000  d)  90,000 

6.  Approximately  how 
many  fans  gathered  in 
L.A.  after  the  Lakers’  2009 
championship-sealing  game? 

a)  19,000  c)  40,000 

b)  30,000  d)  90,000 

7.  According  to  UN  statistics 
from  2000,  which  country 
ranked  above  South  Africa 
in  murders  per  capita? 

a)  Mexico  c)  Venezuela 

b)  Russia  d)  None  of  the  above 


8.  According  to  UN  statistics 
from  2000,  which  country 
has  the  highest  reported 
level  of  crime  per  capita? 

a)  South  Africa  c)  China 

b)  Russia  d)  The  United  States 


Bonus  1: 

How  soon  after  the  Lakers  clinched  the 
2010  NBA  championship  did  official  crowd 
dispersal  efforts  begin? 

Bonus  2: 

How  did  the  L.A.  police  arson  unit  identify 
perpetrators  of  post-game  mischief? 
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So,  how’d  y a  do? 


0-3  points:  Flopped  4-7  points:  Hit  the  post 
8-10  points:  GOOOOOAAAAALLLLLLLLL 
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Two-Factor  Authentication 


Even  if  a  hacker  has  your  password,  your  account 
remains  secure  ”  -  New  York  Times 


Get  the  strong  two-factor  security  you  need 
to  protect  against  today’s  sophisticated 
threats  without  the  hassle  and  cost  of 
yesterday’s  technology. 


►PhoneFactor 


Easy  to  Setup,  Manage,  and  Use 
Strong  Out-of-Band  Authentication 
Rapid  Regulatory  Compliance 
Far  Less  Expensive  Than  Tokens 


www.phonefactor.com 


1.877.NoToken 


User  enters  username  and  password 


Instantly,  user  receives  a  call,  simply  answers 
and  presses  #  (or  a  PIN )  to  complete  the  login 


9  9 


People  need  boundaries , 
not  walls. 


In  the  world  of  Web  2.0,  you  cannot  safely  distribute  full 
admin  rights  on  desktops  or  root  passwords  on  servers. 

So  how  do  you  protect  against  misuse  of  privileges, 
whether  intentional,  accidental  or  indirect,  without  stifling 
productivity?  By  allowing  specific  applications,  tasks  and 
commands.  BeyondTrust  makes  it  simple.  Transparently 
brokering  permissions  from  a  central  console,  it  enables 
users  to  work  without  interference,  and  provides  detailed 
privileged  access  logging,  key  logs,  and  audit  trails. 

So  don't  think  you  have  to  choose  between  security 
and  productivity,  or  risk  non-compliance. 


Delegate  privileges  with  certainty  and  clarity. . . 
with  BeyondTrust. 
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